MAL-2025-3437

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/bitcoinlibdbfix/MAL-2025-3437.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2025-3437
Aliases
  • SNYK-PYTHON-BITCOINLIBDBFIX-9667328
Published
2025-03-30T15:18:14Z
Modified
2025-12-12T20:36:31.112675Z
Summary
Malicious code in bitcoinlibdbfix (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (a5cb52fa4f2ac6a68416c59a513399e01bb388d5e238260b712a513db3d97233)

It overwrites the 'clw' command from legit bitconinlib package and attempts to exfiltrate its database on the usage.

As a context, it appears to be created to lure users seeking for help with the bitconinlib package: https://github.com/1200wd/bitcoinlib/issues/455#issuecomment-2764513104

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-03-bitcoinlibdbfix

Reasons (based on the campaign):

  • files-exfiltration

  • crypto-related

  • action-hidden-in-lib-usage

  • exfiltration-crypto

Database specific 
{
    "iocs": {
        "urls": [
            "https://5fde88fde64f4682c2fc1e10e6c.vercel.app/api/send",
            "https://discord.com/api/webhooks/1329712636807610379/eU6AZ5oBM_12FIkwvtiasyjywx7WYW7wzuWJwWU3u2kadKko7QKpXcl3Kd0fJspPhM4w"
        ]
    },
    "malicious-packages-origins": [
        {
            "id": "RLMA-2025-02496",
            "import_time": "2025-04-25T09:36:45.304638498Z",
            "sha256": "ab5b3540f4c692cb612450c054a7f3f6269fac09919d37ad47715afa2a314d18",
            "modified_time": "2025-04-23T16:06:16Z",
            "source": "reversing-labs",
            "versions": [
                "0.4.8",
                "0.4.9",
                "0.4.10",
                "0.4.11",
                "0.4.12",
                "0.4.13",
                "0.4.14"
            ]
        },
        {
            "id": "pypi/2025-03-bitcoinlibdbfix/bitcoinlibdbfix",
            "import_time": "2025-12-02T22:30:54.994118496Z",
            "sha256": "55845c378f8d0c93bb2ac1f5f38bb4a6e226fd3f506cda28e55ce70ee713d052",
            "modified_time": "2025-03-30T15:18:14Z",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "ECOSYSTEM"
                }
            ],
            "source": "kam193"
        },
        {
            "id": "pypi/2025-03-bitcoinlibdbfix/bitcoinlibdbfix",
            "import_time": "2025-12-02T23:07:18.026003304Z",
            "sha256": "a5cb52fa4f2ac6a68416c59a513399e01bb388d5e238260b712a513db3d97233",
            "modified_time": "2025-03-30T15:18:14Z",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "ECOSYSTEM"
                }
            ],
            "source": "kam193"
        },
        {
            "id": "pypi/2025-03-bitcoinlibdbfix/bitcoinlibdbfix",
            "import_time": "2025-12-10T21:38:57.319970664Z",
            "sha256": "d0a5c5913c23e65a4562411c5623b96364dbcc4baa11648c7efba0e804bec935",
            "modified_time": "2025-03-30T15:18:14Z",
            "source": "kam193",
            "versions": [
                "0.4.8",
                "0.4.9",
                "0.4.10",
                "0.4.11",
                "0.4.12",
                "0.4.13",
                "0.4.14"
            ]
        }
    ]
}
References
Credits

Affected packages

PyPI / bitcoinlibdbfix

Package

Name
bitcoinlibdbfix
View open source insights on deps.dev
Purl
pkg:pypi/bitcoinlibdbfix

Affected ranges

Affected versions

0.*
0.4.8
0.4.9
0.4.10
0.4.11
0.4.12
0.4.13
0.4.14

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/bitcoinlibdbfix/MAL-2025-3437.json"