MAL-2025-3006

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/tcloud-python-test/MAL-2025-3006.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2025-3006

Aliases

SNYK-PYTHON-TCLOUDPYTHONTEST-12201353

Published

2025-02-25T18:18:21Z

Modified

2026-03-19T12:57:17.324810Z

Summary

Malicious code in tcloud-python-test (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (221affa8a84428ae21f288ce299d114742d269e7bbcbf223a0aa666327fae2c4)

This campaign is built from two parts: 1) packages named like time-check-server, snapshot-photo contain an innocent-looking code that sends "date" to a remote server, 2) packages named like alicloud-client are clones of legit aliyun-python-sdk-core package, with a small change in the client.py code, where it imports the time-check-server and calls it, but instead of a date, the credentials to the cloud are exfiltrated. There are also variations with AWS clients

Apparently, the campaign started at least 2 years ago with the snapshot-photo package containing the same functionality as the newer time-check-server (see https://github.com/pypi-data/pypi-mirror-238/blob/code/packages/snapshot-photo/snapshotphoto-0.0.3-py3-none-any.whl/snapshotphoto/date_format.py).

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-02-alicloud-client

Reasons (based on the campaign):

clones-real-package
action-hidden-in-lib-usage
The malicious code is intentionally included in a dependency of the package
exfiltration-cloud-tokens

Database specific

{
    "iocs": {
        "domains": [
            "checktimeserver.org",
            "aliyun-sdk-requests.xyz"
        ],
        "urls": [
            "https://api.checktimeserver.org/",
            "https://api.aliyun-sdk-requests.xyz/"
        ]
    },
    "malicious-packages-origins": [
        {
            "sha256": "b4be4b1ed6050855e2f9c6b1bfa0a9cd4c34a16211339ae604603d0e6aed6ba1",
            "source": "reversing-labs",
            "import_time": "2025-03-31T07:07:06.980236897Z",
            "versions": [
                "1.0.0"
            ],
            "id": "RLMA-2025-02005",
            "modified_time": "2025-03-28T13:06:22Z"
        },
        {
            "sha256": "5852c723e0b065d1baa10c7bf39fcc721dc7670afb0d2b0e6a2b3cdfb2ec75ca",
            "source": "reversing-labs",
            "import_time": "2025-09-26T11:06:10.935474543Z",
            "id": "RLUA-2025-04811",
            "modified_time": "2025-09-26T09:14:39Z"
        },
        {
            "sha256": "dfd60357d0f2edeef38c986940b03ad4707313ad64a7ff32fa9a7e6140b08f28",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "ECOSYSTEM"
                }
            ],
            "import_time": "2025-12-02T22:30:55.629158524Z",
            "source": "kam193",
            "id": "pypi/2025-02-alicloud-client/tcloud-python-test",
            "modified_time": "2025-02-25T18:18:21Z"
        },
        {
            "sha256": "221affa8a84428ae21f288ce299d114742d269e7bbcbf223a0aa666327fae2c4",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "ECOSYSTEM"
                }
            ],
            "import_time": "2025-12-02T23:07:18.670693612Z",
            "source": "kam193",
            "id": "pypi/2025-02-alicloud-client/tcloud-python-test",
            "modified_time": "2025-02-25T18:18:21Z"
        },
        {
            "sha256": "d59dfeaf84ba550b8e71f5efae21f11364439f657c8e1c4d47c57b5f8609ca13",
            "source": "kam193",
            "import_time": "2025-12-10T21:38:57.857154991Z",
            "versions": [
                "1.0.0"
            ],
            "id": "pypi/2025-02-alicloud-client/tcloud-python-test",
            "modified_time": "2025-02-25T18:18:21Z"
        },
        {
            "sha256": "11d9a3e61e62baea7d63856b527d37380e867d50a65ab06d702c843d1ecd3fee",
            "source": "kam193",
            "import_time": "2026-01-30T19:43:58.387730388Z",
            "versions": [
                "1.0.0"
            ],
            "id": "pypi/2025-02-alicloud-client/tcloud-python-test",
            "modified_time": "2025-02-25T18:18:21Z"
        },
        {
            "sha256": "1af6cd0720c9fcaefe80c4432e2496f4dc4a4619e9a830b552a7034eae5dc1bd",
            "source": "reversing-labs",
            "import_time": "2026-03-19T12:20:31.895269124Z",
            "id": "RLUA-2026-00804",
            "modified_time": "2026-03-18T12:19:19Z"
        }
    ]
}

References

Credits

- Kamil Mańkowski (kam193)
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- Kamil Mańkowski (kam193) - ANALYST
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- ReversingLabs - FINDER
- - https://www.reversinglabs.com

Affected packages

PyPI / tcloud-python-test

Package

Name: tcloud-python-test; View open source insights on deps.dev
Purl: pkg:pypi/tcloud-python-test

Affected ranges

Affected versions

1.*

1.0.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/tcloud-python-test/MAL-2025-3006.json"