MAL-2025-5120

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/netpackat/MAL-2025-5120.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2025-5120

Published

2025-05-15T18:11:34Z

Modified

2026-03-19T12:55:12.017265Z

Summary

Malicious code in netpackat (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (f0f971eaa8aa4f59d981802034020fcd9b7c6008c2e9ed41a868a9e3186e7eed)

Code download and runs an executable, which is widely recognized as malware. The system is also configured to run it on startup, and the file is saved in paths attempting to look as a system file.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-05-requestpackat

Reasons (based on the campaign):

Downloads and executes a remote executable.
malware
peristence-autorun

Database specific

{
    "iocs": {
        "urls": [
            "https://github.com/FaresEI3RAB/Fares/raw/refs/heads/main/svchost.exe",
            "https://pastebin.com/raw/hxAQV6Nq",
            "https://pastebin.com/raw/Z4VMbzLP"
        ]
    },
    "malicious-packages-origins": [
        {
            "id": "RLMA-2025-03017",
            "import_time": "2025-06-18T15:06:01.817978614Z",
            "sha256": "364bc6883ac08ccaa71c86fbd4ddea8c088ae2724d571bffab75d896ea1b9277",
            "source": "reversing-labs",
            "modified_time": "2025-06-18T10:15:14Z",
            "versions": [
                "1.0.4"
            ]
        },
        {
            "id": "pypi/2025-05-requestpackat/netpackat",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2025-12-02T22:30:55.357024713Z",
            "sha256": "fca30f947fe155b7e74e8f753caff8d20377ff4090a95512595c7bdc413266db",
            "source": "kam193",
            "modified_time": "2025-05-15T18:11:34Z"
        },
        {
            "id": "pypi/2025-05-requestpackat/netpackat",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2025-12-02T23:07:18.388848708Z",
            "sha256": "f0f971eaa8aa4f59d981802034020fcd9b7c6008c2e9ed41a868a9e3186e7eed",
            "source": "kam193",
            "modified_time": "2025-05-15T18:11:34Z"
        },
        {
            "id": "pypi/2025-05-requestpackat/netpackat",
            "import_time": "2025-12-10T21:38:57.6095485Z",
            "sha256": "4d00cb14bddfeac7255045a34f499cbe51fcf96a229ab60e5f4fb69d3cd5b745",
            "source": "kam193",
            "modified_time": "2025-05-15T18:11:34Z",
            "versions": [
                "1.0.4"
            ]
        },
        {
            "id": "RLUA-2026-00553",
            "import_time": "2026-03-19T12:20:08.088016863Z",
            "sha256": "289b33921d587bd0778af30e88dffd763cd67b419524fdb81cdb67e3f25a113f",
            "source": "reversing-labs",
            "modified_time": "2026-03-18T12:16:27Z"
        }
    ]
}

References

Credits

- Kamil Mańkowski (kam193)
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- ReversingLabs - FINDER
- - https://www.reversinglabs.com

Affected packages

PyPI / netpackat

Package

Name: netpackat; View open source insights on deps.dev
Purl: pkg:pypi/netpackat

Affected ranges

Affected versions

1.*

1.0.4

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/netpackat/MAL-2025-5120.json"