MAL-2026-1225

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/urllib-slim/MAL-2026-1225.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-1225

Published

2026-03-03T17:51:17Z

Modified

2026-03-23T20:32:11.145643Z

Summary

Malicious code in urllib-slim (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (acbcedbcc1d5bafffbb66128eae99b1fdc6c8e62b65bedd8f62ee2790919d972)

During installation, the package starts obfuscated code that downloads and runs remote executables in specific environments. In some packages in the campaign, the code only attempts to exfiltrate some basic information using DNS requests and then likely cover tracks by installing a similarly named package from private repository

Related campaigns: 2026-02-spark-audit-notify, 2026-03-geekennedy

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-02-urllib-slim

Reasons (based on the campaign):

typosquatting
Downloads and executes a remote executable.
obfuscation
dependency-confusion

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "pypi/2026-02-urllib-slim/urllib-slim",
            "import_time": "2026-03-03T18:20:16.086769969Z",
            "source": "kam193",
            "versions": [
                "9.31",
                "9.32",
                "9.33",
                "9.34",
                "9.35"
            ],
            "modified_time": "2026-03-03T17:52:53.800886Z",
            "sha256": "ab38fb394a17f30f0503cdeb9f982f99aaec2c5f43496b6e5d7ccd505d926915"
        },
        {
            "id": "pypi/2026-02-urllib-slim/urllib-slim",
            "import_time": "2026-03-03T19:20:04.717631436Z",
            "source": "kam193",
            "versions": [
                "9.31",
                "9.32",
                "9.33",
                "9.34",
                "9.35",
                "9.36"
            ],
            "modified_time": "2026-03-03T18:32:08.971007Z",
            "sha256": "af9dfb22d0369590148408b736b7cdc45bf01c59f22fe6ee498809384081c452"
        },
        {
            "id": "pypi/2026-02-urllib-slim/urllib-slim",
            "import_time": "2026-03-23T20:16:57.852488499Z",
            "source": "kam193",
            "versions": [
                "9.31",
                "9.32",
                "9.33",
                "9.34",
                "9.35",
                "9.36"
            ],
            "modified_time": "2026-03-03T18:32:08.971007Z",
            "sha256": "acbcedbcc1d5bafffbb66128eae99b1fdc6c8e62b65bedd8f62ee2790919d972"
        }
    ],
    "iocs": {
        "urls": [
            "https://storage.googleapis.com/py-pi/python_mac",
            "https://storage.googleapis.com/py-pi/python_rhel",
            "https://storage.googleapis.com/py-pi/python_win"
        ],
        "domains": [
            "1r.vc",
            "i.1r.vc"
        ]
    }
}

References

Credits

- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/

Affected packages

PyPI / urllib-slim

Package

Name: urllib-slim; View open source insights on deps.dev
Purl: pkg:pypi/urllib-slim

Affected ranges

Affected versions

9.*

9.31

9.32

9.33

9.34

9.35

9.36

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/urllib-slim/MAL-2026-1225.json"