MAL-2025-47764

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/etherweb3/MAL-2025-47764.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2025-47764

Published

2025-08-21T11:21:42Z

Modified

2026-03-19T12:52:49.814066Z

Summary

Malicious code in etherweb3 (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (500af99cbff4bad856e50637e3046662824ccdde4cbf8f35cfe5d6bb2c880ce8)

Malicious clone of a legitimate "web3" package. During importing, a code aiming to exfiltrate private keys is executed

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-08-etherweb3

Reasons (based on the campaign):

exfiltration-crypto
crypto-related
clones-real-package

Database specific

{
    "iocs": {
        "urls": [
            "https://v1.nocodeapi.com/lionelphp/telegram/ZSkmODfnkodNVXwR/sendText"
        ]
    },
    "malicious-packages-origins": [
        {
            "id": "RLMA-2025-04765",
            "import_time": "2025-09-26T11:05:32.766021866Z",
            "sha256": "038e484cdc4348c49a74fb5f336b79ed6ea39f0662d0a5cabf6b31bee8557955",
            "modified_time": "2025-09-26T09:13:56Z",
            "source": "reversing-labs",
            "versions": [
                "0.3.9",
                "0.3.10",
                "0.3.11",
                "0.4.2"
            ]
        },
        {
            "id": "pypi/2025-08-etherweb3/etherweb3",
            "import_time": "2025-12-02T22:30:55.168169317Z",
            "sha256": "9310821b956843395eecc0090680966e41571541b9ceb6322addf252b2823c38",
            "modified_time": "2025-08-21T11:21:42.827129Z",
            "source": "kam193",
            "versions": [
                "0.4.2",
                "0.3.11",
                "0.3.10",
                "0.3.9"
            ]
        },
        {
            "id": "pypi/2025-08-etherweb3/etherweb3",
            "import_time": "2025-12-02T23:07:18.175382813Z",
            "sha256": "500af99cbff4bad856e50637e3046662824ccdde4cbf8f35cfe5d6bb2c880ce8",
            "modified_time": "2025-08-21T11:21:42.827129Z",
            "source": "kam193",
            "versions": [
                "0.4.2",
                "0.3.11",
                "0.3.10",
                "0.3.9"
            ]
        },
        {
            "id": "pypi/2025-08-etherweb3/etherweb3",
            "import_time": "2025-12-30T22:39:04.080917733Z",
            "sha256": "573ae3dd4f93be0d622e9628c6af89d9a1749711e5612dd06b8f97db05965c00",
            "modified_time": "2025-08-21T11:21:42.827129Z",
            "source": "kam193",
            "versions": [
                "0.3.9",
                "0.3.10",
                "0.3.11",
                "0.4.2"
            ]
        },
        {
            "id": "RLUA-2026-00299",
            "import_time": "2026-03-19T12:19:43.253098279Z",
            "sha256": "e7fb71888483b39ae2a745f686f57be13618d33436cd992b2782361d324ec240",
            "modified_time": "2026-03-18T12:13:35Z",
            "source": "reversing-labs"
        }
    ]
}

References

https://bad-packages.kam193.eu/pypi/package/etherweb3

Credits

- Kamil Mańkowski (kam193)
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- Kamil Mańkowski (kam193) - ANALYST
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- ReversingLabs - FINDER
- - https://www.reversinglabs.com

Affected packages

PyPI / etherweb3

Package

Name: etherweb3; View open source insights on deps.dev
Purl: pkg:pypi/etherweb3

Affected ranges

Affected versions

0.*

0.3.9

0.3.10

0.3.11

0.4.2

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/etherweb3/MAL-2025-47764.json"