MAL-2025-6540
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/mainx/MAL-2025-6540.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2025-6540
- Published
- 2025-06-24T15:56:56Z
- Modified
- 2026-03-19T12:54:38.117834Z
- Summary
- Malicious code in mainx (PyPI)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: kam193 (6a77aad2f42165ec9582f04fffab948f6a1125564e34f4d09c8d089b2708d8d2)
While described as educational package to simulate post-exploitation environment, the malware is active and once started, automatically attempts to exfiltrate sensitive data (credentials, cookies, etc.) and places a Discord implant. The remote target is hard coded in the code.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2025-06-mainx
Reasons (based on the campaign):
obfuscation
infostealer
files-exfiltration
exfiltration-credentials
exfiltration-browser-data
peristence-autorun
The package contains code to detect if it is running in a sandbox environment.
- Database specific
{ "malicious-packages-origins": [ { "id": "RLMA-2025-03634", "sha256": "c47485e969c40c9ce7c118d971f25ff7bbcf66f6d961a28ffa39d7bf497957d3", "import_time": "2025-08-01T10:07:12.360069312Z", "source": "reversing-labs", "modified_time": "2025-07-31T19:15:35Z", "versions": [ "0.1", "0.4", "0.5", "0.6", "0.7", "0.8", "0.9", "1" ] }, { "id": "RLUA-2025-04194", "sha256": "7f7a6cb96cd1bab4f33b465ea33076403d7c65d54b346d865a57eb11ee2fd712", "import_time": "2025-08-29T06:42:44.431005562Z", "source": "reversing-labs", "modified_time": "2025-08-28T07:11:20Z" }, { "id": "pypi/2025-06-mainx/mainx", "sha256": "e24c50cb97b2294bf6202850b4bc869265cf991422d480d67db0e89f807fa45e", "import_time": "2025-12-02T22:30:55.321256609Z", "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "source": "kam193", "modified_time": "2025-06-24T15:56:56Z" }, { "id": "pypi/2025-06-mainx/mainx", "sha256": "6a77aad2f42165ec9582f04fffab948f6a1125564e34f4d09c8d089b2708d8d2", "import_time": "2025-12-02T23:07:18.348686015Z", "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "source": "kam193", "modified_time": "2025-06-24T15:56:56Z" }, { "id": "pypi/2025-06-mainx/mainx", "sha256": "6f37d98ee668c0690e6163289206307f8b89b3af36f23b6245eaa22b141110f7", "import_time": "2025-12-10T21:38:57.581695761Z", "source": "kam193", "modified_time": "2025-06-24T15:56:56Z", "versions": [ "0.1", "0.4", "0.5", "0.6", "0.7", "0.8", "0.9", "1.0" ] }, { "id": "RLUA-2026-00487", "sha256": "0e2991d8b172137fed549d6f6671dfd4a38ef4c0e6e09a906908c0232e28e33e", "import_time": "2026-03-19T12:20:00.949831165Z", "source": "reversing-labs", "modified_time": "2026-03-18T12:15:47Z" } ] }- References
- Credits
-
-
- Kamil Mańkowski (kam193)
-
- Kamil Mańkowski (kam193) - REPORTER
-
- ReversingLabs - FINDER
-
Affected packages
PyPI / mainx
Package
- Name
- mainx
- View open source insights on deps.dev
- Purl
- pkg:pypi/mainx