MAL-2025-5127

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/requestpackat/MAL-2025-5127.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2025-5127

Published

2025-05-15T18:11:34Z

Modified

2026-03-19T12:56:17.140221Z

Summary

Malicious code in requestpackat (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (b70e437edd04a30f48e384a4a07cdb1790dcb5e6a66ba800dc1703bf845a6b36)

Code download and runs an executable, which is widely recognized as malware. The system is also configured to run it on startup, and the file is saved in paths attempting to look as a system file.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-05-requestpackat

Reasons (based on the campaign):

Downloads and executes a remote executable.
malware
peristence-autorun

Database specific

{
    "iocs": {
        "urls": [
            "https://github.com/FaresEI3RAB/Fares/raw/refs/heads/main/svchost.exe",
            "https://pastebin.com/raw/hxAQV6Nq",
            "https://pastebin.com/raw/Z4VMbzLP"
        ]
    },
    "malicious-packages-origins": [
        {
            "source": "reversing-labs",
            "id": "RLMA-2025-03024",
            "modified_time": "2025-06-18T10:15:19Z",
            "sha256": "bd9fa31de2e6585f8ff120c4dc6ec856376f193db6aaafc59c77c2ebdaae7af3",
            "versions": [
                "1.0.1",
                "1.0.2"
            ],
            "import_time": "2025-06-18T15:06:02.512242444Z"
        },
        {
            "source": "kam193",
            "id": "pypi/2025-05-requestpackat/requestpackat",
            "modified_time": "2025-05-15T18:11:34Z",
            "sha256": "8ec797580e984c82836fdf3d52adc8441744a46da5d0f602f189a96fba6a9c1f",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2025-12-02T22:30:55.537428731Z"
        },
        {
            "source": "kam193",
            "id": "pypi/2025-05-requestpackat/requestpackat",
            "modified_time": "2025-05-15T18:11:34Z",
            "sha256": "b70e437edd04a30f48e384a4a07cdb1790dcb5e6a66ba800dc1703bf845a6b36",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2025-12-02T23:07:18.575881016Z"
        },
        {
            "source": "kam193",
            "id": "pypi/2025-05-requestpackat/requestpackat",
            "modified_time": "2025-05-15T18:11:34Z",
            "sha256": "ee2729f4331f0e1f42f440b377e789ff4b1afcdc427986769e6fcdfad25167ce",
            "versions": [
                "1.0.1",
                "1.0.2"
            ],
            "import_time": "2025-12-10T21:38:57.784699921Z"
        },
        {
            "source": "reversing-labs",
            "id": "RLUA-2026-00704",
            "modified_time": "2026-03-18T12:18:12Z",
            "sha256": "f70b8dd5337e5eac2517248cbc9fe4266de761329e07af3c8597d85a98b42b41",
            "import_time": "2026-03-19T12:20:22.411196794Z"
        }
    ]
}

References

Credits

- Kamil Mańkowski (kam193)
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- ReversingLabs - FINDER
- - https://www.reversinglabs.com

Affected packages

PyPI / requestpackat

Package

Name: requestpackat; View open source insights on deps.dev
Purl: pkg:pypi/requestpackat

Affected ranges

Affected versions

1.*

1.0.1

1.0.2

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/requestpackat/MAL-2025-5127.json"