MAL-2025-6564

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/pipmodule823/MAL-2025-6564.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2025-6564

Published

2025-07-05T11:05:55Z

Modified

2026-03-19T12:55:21.523780Z

Summary

Malicious code in pipmodule823 (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (57b078ffca6f219848df2289282933442be06a2932d0d163ede59fe4a533faca)

If run as a module, the package downloads and executes a remote script. At the time of check, the remote script was just opening a popup; thus it's not classified as clearly malicious.

Through the package description related to "cirhenly" package, which was uploaded by "0x92nw" - see campaign 2025-07-0x92nw

Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.

Campaign: 2025-07-pipmodule83

Reasons (based on the campaign):

Downloads and executes a remote malicious script.

Database specific

{
    "malicious-packages-origins": [
        {
            "source": "reversing-labs",
            "id": "RLMA-2025-03661",
            "sha256": "c1f07f206c190c756c90730237cd6287bcf0ff08d1626294c13f5386f46ca32c",
            "import_time": "2025-08-01T10:07:13.151671372Z",
            "versions": [
                "1.0.2"
            ],
            "modified_time": "2025-07-31T19:16:01Z"
        },
        {
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "ECOSYSTEM"
                }
            ],
            "source": "kam193",
            "id": "pypi/2025-07-pipmodule83/pipmodule823",
            "sha256": "a1158fdbcf3fc5195cdf4ebab8d8dbbcdc9dc76ecc1423ffd3dd699fd8394b9c",
            "import_time": "2025-12-02T22:30:56.297349614Z",
            "modified_time": "2025-07-05T11:05:55Z"
        },
        {
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "ECOSYSTEM"
                }
            ],
            "source": "kam193",
            "id": "pypi/2025-07-pipmodule83/pipmodule823",
            "sha256": "57b078ffca6f219848df2289282933442be06a2932d0d163ede59fe4a533faca",
            "import_time": "2025-12-02T23:07:19.484732385Z",
            "modified_time": "2025-07-05T11:05:55Z"
        },
        {
            "source": "kam193",
            "id": "pypi/2025-07-pipmodule83/pipmodule823",
            "sha256": "6d2582054e706611dceb4c2d9738b0953657440d6e7e584c78bbb042fcef1334",
            "import_time": "2025-12-10T21:38:58.600519383Z",
            "versions": [
                "1.0.2"
            ],
            "modified_time": "2025-07-05T11:05:55Z"
        },
        {
            "source": "reversing-labs",
            "id": "RLUA-2026-00593",
            "sha256": "fa3490f2a31ab11a9d8b1ca9485f679f083c8a738dafe24d38ef0c5048e08fa0",
            "import_time": "2026-03-19T12:20:12.258335154Z",
            "modified_time": "2026-03-18T12:16:57Z"
        }
    ],
    "iocs": {
        "domains": [
            "jjjy-9mb.pages.dev"
        ],
        "urls": [
            "https://jjjy-9mb.pages.dev/j.vbs"
        ]
    }
}

References

https://bad-packages.kam193.eu/pypi/package/pipmodule823

Credits

- Kamil Mańkowski (kam193)
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- ReversingLabs - FINDER
- - https://www.reversinglabs.com

Affected packages

PyPI / pipmodule823

Package

Name: pipmodule823; View open source insights on deps.dev
Purl: pkg:pypi/pipmodule823

Affected ranges

Affected versions

1.*

1.0.2

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/pipmodule823/MAL-2025-6564.json"