MAL-2025-3430

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/bbllaacckkwwoollff/MAL-2025-3430.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2025-3430

Published

2025-03-24T08:08:10Z

Modified

2026-03-19T12:51:01.768119Z

Summary

Malicious code in bbllaacckkwwoollff (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (2507dd4c5b3b3c1fae3213243ff0a27b71955dfbb39069f677660e025ac08f0d)

During installation, the code either exfiltrate some information about the system or download and execute remote code

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-03-blackwolf

Reasons (based on the campaign):

The package overrides the install command in setup.py to execute malicious code during installation.
exfiltration-generic
Downloads and executes a remote malicious script.

Database specific

{
    "iocs": {
        "domains": [
            "blackwolf.obs.cn-north-4.myhuaweicloud.com"
        ]
    },
    "malicious-packages-origins": [
        {
            "id": "RLMA-2025-02489",
            "import_time": "2025-04-25T09:36:44.656813409Z",
            "sha256": "4a6099a0ccf7b1beb4b9c3421574e9a0180f59097a978b3f9a976c9f83776498",
            "source": "reversing-labs",
            "modified_time": "2025-04-23T16:06:13Z",
            "versions": [
                "0.1",
                "0.2",
                "0.3",
                "0.4"
            ]
        },
        {
            "id": "pypi/2025-03-blackwolf/bbllaacckkwwoollff",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2025-12-02T22:30:54.976016412Z",
            "sha256": "acf485ec63821cd26268e780163b40867ac872945515407742bbaf91f33e989f",
            "source": "kam193",
            "modified_time": "2025-03-24T08:08:10Z"
        },
        {
            "id": "pypi/2025-03-blackwolf/bbllaacckkwwoollff",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2025-12-02T23:07:18.008032293Z",
            "sha256": "2507dd4c5b3b3c1fae3213243ff0a27b71955dfbb39069f677660e025ac08f0d",
            "source": "kam193",
            "modified_time": "2025-03-24T08:08:10Z"
        },
        {
            "id": "pypi/2025-03-blackwolf/bbllaacckkwwoollff",
            "import_time": "2025-12-10T21:38:57.309907812Z",
            "sha256": "97c3dfb5dab9bacdc7c30ccbb4100b27ff529ea9d345498d7ab464fa8c0d7614",
            "source": "kam193",
            "modified_time": "2025-03-24T08:08:10Z",
            "versions": [
                "0.1",
                "0.2",
                "0.3",
                "0.4"
            ]
        },
        {
            "id": "RLUA-2026-00136",
            "import_time": "2026-03-19T12:19:28.629755248Z",
            "sha256": "9e421c9f77c2db3e14f7decf94913607a81b71b2b8a4016fc0344c9521d5f302",
            "source": "reversing-labs",
            "modified_time": "2026-03-18T12:11:48Z"
        }
    ]
}

References

https://bad-packages.kam193.eu/pypi/package/bbllaacckkwwoollff

Credits

- Kamil Mańkowski (kam193)
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- Kamil Mańkowski (kam193) - ANALYST
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- ReversingLabs - FINDER
- - https://www.reversinglabs.com

Affected packages

PyPI / bbllaacckkwwoollff

Package

Name: bbllaacckkwwoollff; View open source insights on deps.dev
Purl: pkg:pypi/bbllaacckkwwoollff

Affected ranges

Affected versions

0.*

0.1

0.2

0.3

0.4

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/bbllaacckkwwoollff/MAL-2025-3430.json"