MAL-2025-988
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/subsys-client/MAL-2025-988.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2025-988
- Published
- 2024-12-26T12:24:34Z
- Modified
- 2026-03-19T12:57:07.337700Z
- Summary
- Malicious code in subsys-client (PyPI)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: kam193 (cd448fe7b92604e9718438328baa70266ded0a4e0c105f7663c9256b6eeea18b)
Importing the module starts downloading and executing an Infostealer targeting browsers' and Discord data
In first packages, there was a hidden line triggering downloading and running an infostealer
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2024-12-syscontrol
Reasons (based on the campaign):
infostealer
obfuscation
action-hidden-in-lib-usage
infostealer:kiwi
exfiltration-browser-data
exfiltration-crypto
- Database specific
{ "malicious-packages-origins": [ { "sha256": "caa68805559269bccd60d7056f310073ad7977cb3ba96c05f7dccfd812238abf", "modified_time": "2025-02-03T17:07:56Z", "id": "RLMA-2025-00529", "versions": [ "0.1", "0.2" ], "import_time": "2025-02-03T18:38:09.612900802Z", "source": "reversing-labs" }, { "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "modified_time": "2024-12-26T12:24:34Z", "id": "pypi/2024-12-syscontrol/subsys-client", "sha256": "a4c9023286b95175e83bff61b4a895f2fcbd0e48b6e66cc9f6daa62ef62e59bc", "import_time": "2025-12-02T22:30:55.614961271Z", "source": "kam193" }, { "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" } ] } ], "modified_time": "2024-12-26T12:24:34Z", "id": "pypi/2024-12-syscontrol/subsys-client", "sha256": "cd448fe7b92604e9718438328baa70266ded0a4e0c105f7663c9256b6eeea18b", "import_time": "2025-12-02T23:07:18.655220743Z", "source": "kam193" }, { "sha256": "9f489a70860edf070aad7df8d9fbc44635c03d2cd51fbb1e4c0edaa9f882ce51", "modified_time": "2024-12-26T12:24:34Z", "id": "pypi/2024-12-syscontrol/subsys-client", "versions": [ "0.1", "0.2" ], "import_time": "2025-12-10T21:38:57.845259864Z", "source": "kam193" }, { "sha256": "52a97a2d7cb19c5be050fb3cd226ad5456a9186b47d2c433134deb4a3d1f466a", "modified_time": "2026-03-18T12:19:06Z", "id": "RLUA-2026-00784", "import_time": "2026-03-19T12:20:30.198473365Z", "source": "reversing-labs" } ], "iocs": { "ips": [ "45.142.115.225" ], "urls": [ "http://45.142.115.225:8000/grab/DaTDTcxiSvq9OA6r", "http://45.142.115.225:8000/inject/DaTDTcxiSvq9OA6r", "http://45.142.115.225:8000/grab/DaTDTcxiSvq9OA6r", "http://45.142.115.225:8000/repeter/DaTDTcxiSvq9OA6r", "https://cdn.discordapp.com/attachments/1086668425797058691/1113770559688413245/app.asar", "https://cdn.discordapp.com/attachments/1135684724585681039/1143224080603037827/app.asar" ] } }- References
- Credits
-
-
- Kamil Mańkowski (kam193)
-
- Kamil Mańkowski (kam193) - ANALYST
-
- ReversingLabs - FINDER
-
Affected packages
PyPI / subsys-client
Package
- Name
- subsys-client
- View open source insights on deps.dev
- Purl
- pkg:pypi/subsys-client