-= Per source details. Do not edit below this line.=-
Example of typosquatting package, with rather safe using localhost as exfiltration target. Package targets a typo in the Binance documentation: https://github.com/binance/binance-connector-python/blob/f1703c54c3059423a8568b2300597210b19b938e/clients/rebate/docs/migrationguiderebate_sdk.md
Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.
Campaign: GENERIC-standard-pypi-install-pentest
Reasons (based on the campaign):
The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.
The package overrides the install command in setup.py to execute malicious code during installation.
{
"malicious-packages-origins": [
{
"versions": [
"10.0.0"
],
"sha256": "8c6df72dfa3549c1d5f204b74c7ddea64781cedd2b93ee103698a72b587e1301",
"modified_time": "2025-09-26T09:13:45Z",
"source": "reversing-labs",
"id": "RLMA-2025-04746",
"import_time": "2025-09-26T11:05:31.285364324Z"
},
{
"versions": [
"10.0.0"
],
"sha256": "00215dfec61ee883c8bdcaf36ceda21926774db797421144e2cb673eb30956f7",
"modified_time": "2025-08-18T19:44:10.239927Z",
"source": "kam193",
"id": "pypi/GENERIC-standard-pypi-install-pentest/binance-sdk-ebate",
"import_time": "2025-12-02T22:30:55.885812958Z"
},
{
"versions": [
"10.0.0"
],
"sha256": "43db9ff01b53b59066c74bb7571e281c1364444174851bd25c272e8fd7f3f503",
"modified_time": "2025-08-18T19:44:10.239927Z",
"source": "kam193",
"id": "pypi/GENERIC-standard-pypi-install-pentest/binance-sdk-ebate",
"import_time": "2025-12-02T23:07:19.069863061Z"
},
{
"sha256": "a85059f412b3df3d86b1d2905b67aaf4e1e3d1f2b0585171a44f598a5106011d",
"modified_time": "2026-03-18T12:11:55Z",
"source": "reversing-labs",
"id": "RLUA-2026-00148",
"import_time": "2026-03-19T12:19:29.458426902Z"
}
]
}