MAL-2025-962

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/python-bitget-request/MAL-2025-962.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2025-962
Published
2024-12-12T21:48:47Z
Modified
2025-12-12T20:41:33.519591Z
Summary
Malicious code in python-bitget-request (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (bf787bcce66ad47046d93086a114a0f144b0f538b3d969fea6aea42b2312f58b)

Importing the module starts an obfuscated PowerShell code, which downloads and executes a remote script. On Windows, the script appears to just start the calculator. On MacOS, the file is identified as a Spark RAT by multiple vendors. Package impersonate the legitimate "python-bitget".

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2024-12-python-bitget-api

Reasons (based on the campaign):

  • typosquatting

  • obfuscation

  • clones-real-package

  • dependency-confusion

  • crypto-related

  • impersonation

  • Downloads and executes a remote malicious script.

Database specific 
{
    "malicious-packages-origins": [
        {
            "import_time": "2025-02-03T18:38:08.191671435Z",
            "modified_time": "2025-02-03T17:07:43Z",
            "source": "reversing-labs",
            "versions": [
                "3.9.5",
                "4.9.5"
            ],
            "sha256": "12c0558f868db13c2258c4dcff1e3b8b7b7a563e9dc507a0381255dbb48be096",
            "id": "RLMA-2025-00503"
        },
        {
            "import_time": "2025-12-02T22:30:55.489301941Z",
            "modified_time": "2024-12-12T21:48:47Z",
            "source": "kam193",
            "sha256": "869a2b96575d696799f9aafd928391f67ea03b8dc055c567994919d943894c8d",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "id": "pypi/2024-12-python-bitget-api/python-bitget-request"
        },
        {
            "import_time": "2025-12-02T23:07:18.514553691Z",
            "modified_time": "2024-12-12T21:48:47Z",
            "source": "kam193",
            "sha256": "bf787bcce66ad47046d93086a114a0f144b0f538b3d969fea6aea42b2312f58b",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "id": "pypi/2024-12-python-bitget-api/python-bitget-request"
        },
        {
            "import_time": "2025-12-10T21:38:57.735046422Z",
            "modified_time": "2024-12-12T21:48:47Z",
            "source": "kam193",
            "versions": [
                "3.9.5",
                "4.9.5"
            ],
            "sha256": "0639742fe0ca7fa0b75e7e4e382a95881173dfadb96c916d848954084d7ae1b2",
            "id": "pypi/2024-12-python-bitget-api/python-bitget-request"
        }
    ],
    "iocs": {
        "urls": [
            "https://dl.dropboxusercontent.com/scl/fi/bkhek6zqbo0cqgboteegj/1.txt?rlkey=yn18m53jayba4e3m5bdi02czm&st=eh1edmf0&dl=0",
            "https://dl.dropboxusercontent.com/scl/fi/6hg0a8fg9m36eahv88rwo/template?rlkey=0vkaw44mh3gak6y82l4ht39zg&st=ygbc7qgh&dl=0"
        ]
    }
}
References
Credits

Affected packages

PyPI / python-bitget-request

Package

Name
python-bitget-request
View open source insights on deps.dev
Purl
pkg:pypi/python-bitget-request

Affected ranges

Affected versions

3.*

3.9.5

4.*

4.9.5

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/python-bitget-request/MAL-2025-962.json"