MAL-2025-3454

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/piedefender/MAL-2025-3454.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2025-3454
Published
2025-03-01T15:16:30Z
Modified
2026-03-19T12:55:21.819925Z
Summary
Malicious code in piedefender (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (f8a30e991bd97073c50a9cdabb10842f2c5ae074c46fcd0aeff5d7917d4b56fa)

setup.py is prepared to download and run an obfuscated batch script. While the script is not detected by any AV currently, in the sandbox analysis it reveals behaviour like adding exclusions to Windows Defender


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-02-pydefender

Reasons (based on the campaign):

  • Downloads and executes a remote malicious script.

  • malware

  • The package overrides the install command in setup.py to execute malicious code during installation.

Database specific
{
    "iocs": {
        "urls": [
            "https://raw.githubusercontent.com/baledreamer/payload/refs/heads/main/smegma.bat"
        ]
    },
    "malicious-packages-origins": [
        {
            "versions": [
                "0.0.1"
            ],
            "id": "RLMA-2025-02517",
            "modified_time": "2025-04-23T16:06:31Z",
            "import_time": "2025-04-25T09:36:47.086298036Z",
            "sha256": "b13c9da5083fadd88be010b9dd1c0f2e3cb5cec7f1ff9a33d8f5f824c3182e1e",
            "source": "reversing-labs"
        },
        {
            "id": "pypi/2025-02-pydefender/piedefender",
            "modified_time": "2025-03-01T15:16:30Z",
            "import_time": "2025-12-02T22:30:55.427439345Z",
            "sha256": "2c1529cc05836ad53ce1822ee0e8da4790aa1ce9d219d1b00e70ced2cb8798fe",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "source": "kam193"
        },
        {
            "id": "pypi/2025-02-pydefender/piedefender",
            "modified_time": "2025-03-01T15:16:30Z",
            "import_time": "2025-12-02T23:07:18.453273245Z",
            "sha256": "f8a30e991bd97073c50a9cdabb10842f2c5ae074c46fcd0aeff5d7917d4b56fa",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "source": "kam193"
        },
        {
            "versions": [
                "0.0.1"
            ],
            "id": "pypi/2025-02-pydefender/piedefender",
            "modified_time": "2025-03-01T15:16:30Z",
            "import_time": "2025-12-10T21:38:57.668560408Z",
            "sha256": "2903ec35712e2f200e617905786798d33c5fde00c0334c5694257c81e6b9f066",
            "source": "kam193"
        },
        {
            "id": "RLUA-2026-00591",
            "modified_time": "2026-03-18T12:16:55Z",
            "import_time": "2026-03-19T12:20:12.093951523Z",
            "sha256": "9eac6fdd9b544e93e1b48694e0ffad9d309d5a7d03f1c87eb4b806af6e9e2141",
            "source": "reversing-labs"
        }
    ]
}
References
Credits

Affected packages

PyPI / piedefender

Package

Affected ranges

Affected versions

0.*
0.0.1

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/piedefender/MAL-2025-3454.json"