MAL-2025-41686

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/httpsyncer/MAL-2025-41686.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2025-41686
Published
2025-08-06T14:30:46Z
Modified
2026-03-19T12:53:39.941578Z
Summary
Malicious code in httpsyncer (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (3e9323dbc11b949e9970ead2dcc1c5a7f05348a977591f8c86027ee220c86b62)

Package is runs an Infostealer targeting telegram and Discord credentials. Depending on version, the infostealer is either downloaded from an URL or embedded in the package


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-08-dsidelib

Reasons (based on the campaign):

  • infostealer

  • Downloads and executes a remote malicious script.

  • exfiltration-browser-data

  • target:telegram

Database specific
{
    "iocs": {
        "urls": [
            "https://raw.githubusercontent.com/hellyth1337/dfree/main/crasherBypass.py",
            "https://discord.com/api/webhooks/1400046440088342641/SDsNfGaWeR9dpGIfRUzHGZPBboYzcUqY2gQBhCXpc9eWmRhknG0QQGkcXWaFle-9J5U6"
        ]
    },
    "malicious-packages-origins": [
        {
            "modified_time": "2025-08-28T07:11:11Z",
            "import_time": "2025-08-29T06:41:45.499325006Z",
            "versions": [
                "1.0.0"
            ],
            "id": "RLMA-2025-04178",
            "source": "reversing-labs",
            "sha256": "baeae37e1174204bc135a09c5dfed562bcca48d347375141ba25609b4fb9ccd1"
        },
        {
            "modified_time": "2025-08-06T14:30:46.098545Z",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "ECOSYSTEM"
                }
            ],
            "import_time": "2025-12-02T22:30:55.25867055Z",
            "id": "pypi/2025-08-dsidelib/httpsyncer",
            "source": "kam193",
            "sha256": "28596981d86a001cf204b04afc8e53ffc504e755765f8b4a87cd56fa5213e42a"
        },
        {
            "modified_time": "2025-08-06T14:30:46.098545Z",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "ECOSYSTEM"
                }
            ],
            "import_time": "2025-12-02T23:07:18.282136667Z",
            "id": "pypi/2025-08-dsidelib/httpsyncer",
            "source": "kam193",
            "sha256": "3e9323dbc11b949e9970ead2dcc1c5a7f05348a977591f8c86027ee220c86b62"
        },
        {
            "modified_time": "2025-08-06T14:30:46.098545Z",
            "import_time": "2025-12-10T21:38:57.533652729Z",
            "versions": [
                "1.0.0"
            ],
            "id": "pypi/2025-08-dsidelib/httpsyncer",
            "source": "kam193",
            "sha256": "b700f5e445c5f321d670ea3920eae22fc6905ee1daa07e63d98580ae2c38c2cd"
        },
        {
            "modified_time": "2026-03-18T12:14:46Z",
            "import_time": "2026-03-19T12:19:52.917727626Z",
            "id": "RLUA-2026-00402",
            "source": "reversing-labs",
            "sha256": "2552d0f681d317319dfea5f2abb35526bd858cd33b4de4706dea7ebdd378633a"
        }
    ]
}
References
Credits

Affected packages

PyPI / httpsyncer

Package

Affected ranges

Affected versions

1.*
1.0.0

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/httpsyncer/MAL-2025-41686.json"