MAL-2025-5121

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/netspear/MAL-2025-5121.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2025-5121

Published

2025-05-15T18:11:34Z

Modified

2026-03-19T12:55:15.993853Z

Summary

Malicious code in netspear (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (015d4e7a345166ce5767408055a810a394e59a8c40b1a3c459ee006efa647e0a)

Code download and runs an executable, which is widely recognized as malware. The system is also configured to run it on startup, and the file is saved in paths attempting to look as a system file.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-05-requestpackat

Reasons (based on the campaign):

Downloads and executes a remote executable.
malware
peristence-autorun

Database specific

{
    "iocs": {
        "urls": [
            "https://github.com/FaresEI3RAB/Fares/raw/refs/heads/main/svchost.exe",
            "https://pastebin.com/raw/hxAQV6Nq",
            "https://pastebin.com/raw/Z4VMbzLP"
        ]
    },
    "malicious-packages-origins": [
        {
            "id": "RLMA-2025-03018",
            "import_time": "2025-06-18T15:06:01.907134367Z",
            "sha256": "ea6eda20b9944f3c64f2b1317d7f52b997e99a7292e7e95a5e3718158fd1509b",
            "source": "reversing-labs",
            "modified_time": "2025-06-18T10:15:14Z",
            "versions": [
                "1.0.7"
            ]
        },
        {
            "id": "pypi/2025-05-requestpackat/netspear",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2025-12-02T22:30:55.357754965Z",
            "sha256": "075f67a838fbfebdad8179a87410b65d43e616d4889db07537d92ed5456975cf",
            "source": "kam193",
            "modified_time": "2025-05-15T18:11:34Z"
        },
        {
            "id": "pypi/2025-05-requestpackat/netspear",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2025-12-02T23:07:18.389754659Z",
            "sha256": "015d4e7a345166ce5767408055a810a394e59a8c40b1a3c459ee006efa647e0a",
            "source": "kam193",
            "modified_time": "2025-05-15T18:11:34Z"
        },
        {
            "id": "pypi/2025-05-requestpackat/netspear",
            "import_time": "2025-12-10T21:38:57.610364061Z",
            "sha256": "54764f23fdbdff7f6b6600a5c3f9a07d7dbf57a820f29cc2c290c42a28200b00",
            "source": "kam193",
            "modified_time": "2025-05-15T18:11:34Z",
            "versions": [
                "1.0.7"
            ]
        },
        {
            "id": "RLUA-2026-00554",
            "import_time": "2026-03-19T12:20:08.184359427Z",
            "sha256": "130385d02adbd04e3924dc9d995864ab3bfbeea181db0460889ae885218126d5",
            "source": "reversing-labs",
            "modified_time": "2026-03-18T12:16:28Z"
        }
    ]
}

References

Credits

- Kamil Mańkowski (kam193)
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- ReversingLabs - FINDER
- - https://www.reversinglabs.com

Affected packages

PyPI / netspear

Package

Name: netspear; View open source insights on deps.dev
Purl: pkg:pypi/netspear

Affected ranges

Affected versions

1.*

1.0.7

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/netspear/MAL-2025-5121.json"