MAL-2025-991

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/sysfunc/MAL-2025-991.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2025-991

Published

2024-12-26T12:24:34Z

Modified

2026-03-19T12:57:06.779879Z

Summary

Malicious code in sysfunc (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (9dc5d09b08f080ad350524a6620877c69339aac5885f4ddb2cbaec68bfa2d3ee)

Importing the module starts downloading and executing an Infostealer targeting browsers' and Discord data

In first packages, there was a hidden line triggering downloading and running an infostealer

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2024-12-syscontrol

Reasons (based on the campaign):

infostealer
obfuscation
action-hidden-in-lib-usage
infostealer:kiwi
exfiltration-browser-data
exfiltration-crypto

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2025-02-03T17:07:58Z",
            "versions": [
                "0.1",
                "0.2",
                "0.3",
                "0.4",
                "0.5",
                "0.6",
                "0.7",
                "0.8"
            ],
            "sha256": "76180ff45802342233033d7378ec3f78369fadcb0a9c7be414793436dfcad03a",
            "id": "RLMA-2025-00532",
            "source": "reversing-labs",
            "import_time": "2025-02-03T18:38:09.753882742Z"
        },
        {
            "modified_time": "2024-12-26T12:24:34Z",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "ECOSYSTEM"
                }
            ],
            "sha256": "0b3ce812db39763e0854d9b75e80eeadffed06c2875005db939a6d8023d13c4b",
            "id": "pypi/2024-12-syscontrol/sysfunc",
            "source": "kam193",
            "import_time": "2025-12-02T22:30:55.62270865Z"
        },
        {
            "modified_time": "2024-12-26T12:24:34Z",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "ECOSYSTEM"
                }
            ],
            "sha256": "9dc5d09b08f080ad350524a6620877c69339aac5885f4ddb2cbaec68bfa2d3ee",
            "id": "pypi/2024-12-syscontrol/sysfunc",
            "source": "kam193",
            "import_time": "2025-12-02T23:07:18.663753678Z"
        },
        {
            "modified_time": "2024-12-26T12:24:34Z",
            "versions": [
                "0.1",
                "0.2",
                "0.3",
                "0.6",
                "0.4",
                "0.5",
                "0.7",
                "0.8"
            ],
            "sha256": "bb6fcf947f0867019b1af6de16cb5676e83ed4e041fdc241285a847337cb5cdd",
            "id": "pypi/2024-12-syscontrol/sysfunc",
            "source": "kam193",
            "import_time": "2025-12-10T21:38:57.851746847Z"
        },
        {
            "modified_time": "2024-12-26T12:24:34Z",
            "versions": [
                "0.1",
                "0.2",
                "0.3",
                "0.4",
                "0.5",
                "0.6",
                "0.7",
                "0.8"
            ],
            "sha256": "16caf81a573979aa05c7143b44582d76dcb09b7dfedff3a5c18adc998a934f15",
            "id": "pypi/2024-12-syscontrol/sysfunc",
            "source": "kam193",
            "import_time": "2025-12-30T22:39:04.19117514Z"
        },
        {
            "modified_time": "2026-03-18T12:19:13Z",
            "sha256": "d2d45ac5313e4cc4d9771cd83bc6ae00a4501f39f4b3c7337e218c83dbd3e81c",
            "id": "RLUA-2026-00796",
            "source": "reversing-labs",
            "import_time": "2026-03-19T12:20:31.423351628Z"
        }
    ],
    "iocs": {
        "urls": [
            "http://45.142.115.225:8000/grab/DaTDTcxiSvq9OA6r",
            "http://45.142.115.225:8000/inject/DaTDTcxiSvq9OA6r",
            "http://45.142.115.225:8000/grab/DaTDTcxiSvq9OA6r",
            "http://45.142.115.225:8000/repeter/DaTDTcxiSvq9OA6r",
            "https://cdn.discordapp.com/attachments/1086668425797058691/1113770559688413245/app.asar",
            "https://cdn.discordapp.com/attachments/1135684724585681039/1143224080603037827/app.asar"
        ],
        "ips": [
            "45.142.115.225"
        ]
    }
}

References

https://bad-packages.kam193.eu/pypi/package/sysfunc

Credits

- Kamil Mańkowski (kam193)
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- ReversingLabs - FINDER
- - https://www.reversinglabs.com

Affected packages

PyPI / sysfunc

Package

Name: sysfunc; View open source insights on deps.dev
Purl: pkg:pypi/sysfunc

Affected ranges

Affected versions

0.*

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/sysfunc/MAL-2025-991.json"