MAL-2026-1240

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/requests-ml-min/MAL-2026-1240.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-1240

Published

2026-03-04T17:24:20Z

Modified

2026-03-23T20:32:11.832321Z

Summary

Malicious code in requests-ml-min (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (caf988849523549406a61384e2c9f8e01d6edf3ad71e5cba77ca7c3987863f1d)

During installation, the package starts obfuscated code that downloads and runs remote executables in specific environments. In some packages in the campaign, the code only attempts to exfiltrate some basic information using DNS requests and then likely cover tracks by installing a similarly named package from private repository

Related campaigns: 2026-02-spark-audit-notify, 2026-03-geekennedy

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-02-urllib-slim

Reasons (based on the campaign):

typosquatting
Downloads and executes a remote executable.
obfuscation
dependency-confusion

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-03-04T18:19:12.634679506Z",
            "modified_time": "2026-03-04T17:24:20.539536Z",
            "sha256": "50b58a918d401d420b3c2cf32e907bfa5a54052427b44d64242e99cc7a164bb7",
            "source": "kam193",
            "versions": [
                "3.45"
            ],
            "id": "pypi/2026-02-urllib-slim/requests-ml-min"
        },
        {
            "import_time": "2026-03-23T20:16:57.850053504Z",
            "modified_time": "2026-03-04T17:24:20.539536Z",
            "sha256": "caf988849523549406a61384e2c9f8e01d6edf3ad71e5cba77ca7c3987863f1d",
            "source": "kam193",
            "versions": [
                "3.45"
            ],
            "id": "pypi/2026-02-urllib-slim/requests-ml-min"
        }
    ],
    "iocs": {
        "domains": [
            "1r.vc",
            "i.1r.vc"
        ],
        "urls": [
            "https://storage.googleapis.com/py-pi/python_mac",
            "https://storage.googleapis.com/py-pi/python_rhel",
            "https://storage.googleapis.com/py-pi/python_win"
        ]
    }
}

References

Credits

- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/

Affected packages

PyPI / requests-ml-min

Package

Name: requests-ml-min; View open source insights on deps.dev
Purl: pkg:pypi/requests-ml-min

Affected ranges

Affected versions

3.*

3.45

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/requests-ml-min/MAL-2026-1240.json"