MAL-2025-5847

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/vtk-osmesa/MAL-2025-5847.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2025-5847

Published

2025-07-14T19:49:43Z

Modified

2025-12-31T02:55:33.438489Z

Summary

Malicious code in vtk-osmesa (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (910e787804512eabe1c118f5347fed9f57ca936717e18a80d26622108d75399e)

During the installation, sensitive information are exfiltrated (incl. env variables)

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-07-vtk-osmesa

Reasons (based on the campaign):

exfiltration-env-variables
The package overrides the install command in setup.py to execute malicious code during installation.
The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.

Source: ossf-package-analysis (c7551fe96e5c82f2d015f2192ef59cb289a105d8549b9d18285d3fd33e7f1bf4)

The OpenSSF Package Analysis project identified 'vtk-osmesa' @ 900.548.735 (pypi) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.
The package executes one or more commands associated with malicious behavior.

Database specific

{
    "iocs": {
        "domains": [
            "deadly-polished-snail.ngrok-free.app"
        ]
    },
    "malicious-packages-origins": [
        {
            "source": "ossf-package-analysis",
            "modified_time": "2025-07-14T19:49:43Z",
            "sha256": "c7551fe96e5c82f2d015f2192ef59cb289a105d8549b9d18285d3fd33e7f1bf4",
            "versions": [
                "900.548.735"
            ],
            "import_time": "2025-07-14T20:06:56.917476661Z"
        },
        {
            "source": "ossf-package-analysis",
            "modified_time": "2025-07-14T20:01:28Z",
            "sha256": "fbfa8dae1a6eed56bd9367ae529bbf25fac65af65e367d222b02b701c149210e",
            "versions": [
                "900.548.736"
            ],
            "import_time": "2025-07-14T20:06:56.987789643Z"
        },
        {
            "source": "ossf-package-analysis",
            "modified_time": "2025-07-14T20:54:03Z",
            "sha256": "61c30b8c639fc2130b0d95047bc880aa792747c9ea7bf54dcd2a36e1d3019739",
            "versions": [
                "900.548.746"
            ],
            "import_time": "2025-07-14T21:06:04.010992795Z"
        },
        {
            "source": "ossf-package-analysis",
            "modified_time": "2025-07-14T20:47:21Z",
            "sha256": "8309b0e4c8f1581d8b20bb4f161e856c87d46e367861eb44153b074406b1d2fe",
            "versions": [
                "900.548.744"
            ],
            "import_time": "2025-07-14T21:06:03.931802578Z"
        },
        {
            "source": "ossf-package-analysis",
            "modified_time": "2025-07-14T21:19:47Z",
            "sha256": "4751cac9deec1e341e0e7e761dfd8ea8c89830a61df5fd58841e242de8c0eb33",
            "versions": [
                "900.548.751"
            ],
            "import_time": "2025-07-14T21:36:00.817326305Z"
        },
        {
            "source": "ossf-package-analysis",
            "modified_time": "2025-07-14T21:12:14Z",
            "sha256": "ae51c0b2d806da87b9849d348545680dd2510318e9158cfeec9e03f2735e09f6",
            "versions": [
                "900.548.747"
            ],
            "import_time": "2025-07-14T21:36:00.646529624Z"
        },
        {
            "source": "kam193",
            "id": "pypi/2025-07-vtk-osmesa/vtk-osmesa",
            "modified_time": "2025-07-14T20:29:18.638467Z",
            "sha256": "4402cf1d7c9b050e1bba2b0ae07a4e73c7ba0255ee7b4cb05f9bf540055ee018",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2025-12-02T22:30:55.71953731Z"
        },
        {
            "source": "kam193",
            "id": "pypi/2025-07-vtk-osmesa/vtk-osmesa",
            "modified_time": "2025-07-14T20:29:18.638467Z",
            "sha256": "910e787804512eabe1c118f5347fed9f57ca936717e18a80d26622108d75399e",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2025-12-02T23:07:18.758945512Z"
        },
        {
            "source": "kam193",
            "id": "pypi/2025-07-vtk-osmesa/vtk-osmesa",
            "modified_time": "2025-07-14T20:29:18.638467Z",
            "sha256": "db413462206456c3d72b71effefb95ecbc50f84bba26ca3600c6592f9268db61",
            "versions": [
                "0.0.7",
                "9.0.1",
                "900.548.725",
                "900.548.726",
                "900.548.731",
                "900.548.733",
                "900.548.734",
                "900.548.735",
                "900.548.736",
                "900.548.739",
                "900.548.742",
                "900.548.747",
                "900.548.746",
                "900.548.744",
                "900.548.751",
                "900.548.752"
            ],
            "import_time": "2025-12-10T21:38:57.928614273Z"
        },
        {
            "source": "kam193",
            "id": "pypi/2025-07-vtk-osmesa/vtk-osmesa",
            "modified_time": "2025-07-14T20:29:18.638467Z",
            "sha256": "eb6b8a31b588385619a873ad0f75aadd35512e39b211404042970b917230644f",
            "versions": [
                "0.0.7",
                "9.0.1",
                "900.548.725",
                "900.548.726",
                "900.548.731",
                "900.548.733",
                "900.548.734",
                "900.548.735",
                "900.548.736",
                "900.548.739",
                "900.548.742",
                "900.548.744",
                "900.548.746",
                "900.548.747",
                "900.548.751",
                "900.548.752"
            ],
            "import_time": "2025-12-30T22:39:04.208326894Z"
        }
    ]
}

References

https://bad-packages.kam193.eu/pypi/package/vtk-osmesa

Credits

- Kamil Mańkowski (kam193)
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- OpenSSF: Package Analysis - FINDER
- - https://github.com/ossf/package-analysis
  - https://openssf.slack.com/channels/package_analysis

Affected packages

PyPI / vtk-osmesa

Package

Name: vtk-osmesa; View open source insights on deps.dev
Purl: pkg:pypi/vtk-osmesa

Affected ranges

Affected versions

0.*

0.0.7

9.*

9.0.1

900.*

900.548.725

900.548.726

900.548.731

900.548.733

900.548.734

900.548.735

900.548.736

900.548.739

900.548.742

900.548.744

900.548.746

900.548.747

900.548.751

900.548.752

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/vtk-osmesa/MAL-2025-5847.json"