MAL-2025-961

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/python-bitget-connect/MAL-2025-961.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2025-961
Published
2024-12-12T21:48:47Z
Modified
2026-03-19T12:56:05.397635Z
Summary
Malicious code in python-bitget-connect (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (1797b7fdf9859888b5495817784ead0bdc01e6acad5ae410af1e1df89acbded6)

Importing the module starts an obfuscated PowerShell code, which downloads and executes a remote script. On Windows, the script appears to just start the calculator. On MacOS, the file is identified as a Spark RAT by multiple vendors. Package impersonate the legitimate "python-bitget".


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2024-12-python-bitget-api

Reasons (based on the campaign):

  • typosquatting

  • obfuscation

  • clones-real-package

  • dependency-confusion

  • crypto-related

  • impersonation

  • Downloads and executes a remote malicious script.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "0.3.9"
            ],
            "sha256": "1c2a19d0fe7a2ac013b9ce0b76bd2facb91b7a7b305be7767645e72286f55894",
            "modified_time": "2025-02-03T17:07:42Z",
            "source": "reversing-labs",
            "id": "RLMA-2025-00502",
            "import_time": "2025-02-03T18:38:08.097841016Z"
        },
        {
            "sha256": "aa12b88321b56f82aa423aee52c57fab95d744803b0fd744df340210f8f6e85c",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "ECOSYSTEM"
                }
            ],
            "modified_time": "2024-12-12T21:48:47Z",
            "source": "kam193",
            "id": "pypi/2024-12-python-bitget-api/python-bitget-connect",
            "import_time": "2025-12-02T22:30:55.488457372Z"
        },
        {
            "sha256": "1797b7fdf9859888b5495817784ead0bdc01e6acad5ae410af1e1df89acbded6",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "ECOSYSTEM"
                }
            ],
            "modified_time": "2024-12-12T21:48:47Z",
            "source": "kam193",
            "id": "pypi/2024-12-python-bitget-api/python-bitget-connect",
            "import_time": "2025-12-02T23:07:18.513665753Z"
        },
        {
            "versions": [
                "0.3.9"
            ],
            "sha256": "7a012e54aba8c610d9e40e9a50c454f98125e42ebbec3d391c859abf2863e5d3",
            "modified_time": "2024-12-12T21:48:47Z",
            "source": "kam193",
            "id": "pypi/2024-12-python-bitget-api/python-bitget-connect",
            "import_time": "2025-12-10T21:38:57.725120327Z"
        },
        {
            "sha256": "89bb36508379d918bcf29f652ce05951a9ef5c67a82b0d56912b5fb5f33472e4",
            "modified_time": "2026-03-18T12:17:41Z",
            "source": "reversing-labs",
            "id": "RLUA-2026-00653",
            "import_time": "2026-03-19T12:20:17.442964361Z"
        }
    ],
    "iocs": {
        "urls": [
            "https://dl.dropboxusercontent.com/scl/fi/bkhek6zqbo0cqgboteegj/1.txt?rlkey=yn18m53jayba4e3m5bdi02czm&st=eh1edmf0&dl=0",
            "https://dl.dropboxusercontent.com/scl/fi/6hg0a8fg9m36eahv88rwo/template?rlkey=0vkaw44mh3gak6y82l4ht39zg&st=ygbc7qgh&dl=0"
        ]
    }
}
References
Credits

Affected packages

PyPI / python-bitget-connect

Package

Name
python-bitget-connect
View open source insights on deps.dev
Purl
pkg:pypi/python-bitget-connect

Affected ranges

Affected versions

0.*
0.3.9

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/python-bitget-connect/MAL-2025-961.json"