MAL-2025-47749

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/brotli-python/MAL-2025-47749.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2025-47749
Published
2025-09-07T18:53:07Z
Modified
2025-12-31T02:52:40.210602Z
Summary
Malicious code in brotli-python (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (3750f9d493198c7607b7f1d5855b6e8726edb24618beeb216e5a86a4a9119e5f)

Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose.

Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.

Campaign: GENERIC-standard-pypi-install-pentest

Reasons (based on the campaign):

  • The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.

  • The package overrides the install command in setup.py to execute malicious code during installation.

Database specific 
{
    "malicious-packages-origins": [
        {
            "versions": [
                "99.3.1",
                "99.6.1",
                "99.99.1"
            ],
            "modified_time": "2025-09-26T09:13:46Z",
            "sha256": "2ec570a3bde8f9312ed5f031fd3423750dc7b1f6ac99506dbac2b5f3767e8c2e",
            "id": "RLMA-2025-04748",
            "import_time": "2025-09-26T11:05:31.470267384Z",
            "source": "reversing-labs"
        },
        {
            "versions": [
                "99.5.1",
                "99.3.1",
                "99.2.1",
                "99.1.1",
                "1.9.12",
                "100.99.0",
                "1.0.9",
                "1.1.9",
                "1.2.9"
            ],
            "modified_time": "2025-09-08T03:28:46.004831Z",
            "sha256": "65512240f27e9cf895a084968c506b54497be85127ec7d8da531eaf21fcb236a",
            "id": "pypi/GENERIC-standard-pypi-install-pentest/brotli-python",
            "import_time": "2025-12-02T22:30:55.892985621Z",
            "source": "kam193"
        },
        {
            "versions": [
                "99.5.1",
                "99.3.1",
                "99.2.1",
                "99.1.1",
                "1.9.12",
                "100.99.0",
                "1.0.9",
                "1.1.9",
                "1.2.9"
            ],
            "modified_time": "2025-09-08T03:28:46.004831Z",
            "sha256": "3750f9d493198c7607b7f1d5855b6e8726edb24618beeb216e5a86a4a9119e5f",
            "id": "pypi/GENERIC-standard-pypi-install-pentest/brotli-python",
            "import_time": "2025-12-02T23:07:19.078977133Z",
            "source": "kam193"
        },
        {
            "versions": [
                "1.0.9",
                "1.1.9",
                "1.2.9",
                "1.9.12",
                "99.1.1",
                "99.2.1",
                "99.3.1",
                "99.5.1",
                "100.99.0"
            ],
            "modified_time": "2025-09-08T03:28:46.004831Z",
            "sha256": "001d708d03d7eb0b5ceaed11cea3cfd3ff915e784393a872f5cf71d087dc04fd",
            "id": "pypi/GENERIC-standard-pypi-install-pentest/brotli-python",
            "import_time": "2025-12-30T22:39:04.268048231Z",
            "source": "kam193"
        }
    ]
}
References
Credits

Affected packages

PyPI / brotli-python

Package

Name
brotli-python
View open source insights on deps.dev
Purl
pkg:pypi/brotli-python

Affected ranges

Affected versions

1.*
1.0.9
1.1.9
1.2.9
1.9.12
99.*
99.1.1
99.2.1
99.3.1
99.5.1
99.6.1
99.99.1
100.*
100.99.0

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/brotli-python/MAL-2025-47749.json"