MAL-2026-2245

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/requests-testik111/MAL-2026-2245.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-2245

Published

2026-03-26T21:35:07Z

Modified

2026-03-27T17:32:11.911700Z

Summary

Malicious code in requests-testik111 (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (72561775d8d7a7c1e47c83f2a7e13ed9eeb776d05ca6924cfcceaca7cad0cfef)

Clones of legitimate libraries with malicious modifications intended to download malicious remote code. The remote script allows executing arbitrary files through a Telegram as C2 channel. The package installs a generic entry point triggering malicious action.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-03-pipipipi

Reasons (based on the campaign):

clones-real-package
rat
Downloads and executes a remote malicious script.
typosquatting

Database specific

{
    "iocs": {
        "urls": [
            "https://tinyurl.com/47h5bmcw",
            "https://www.dropbox.com/scl/fi/ybqsqvbquwbk9h59aottq/shadowsocksvpn.ps1?rlkey=2huygpgfs1pmasr9h70tr9zti&st=1ghv9gld&dl=1"
        ]
    },
    "malicious-packages-origins": [
        {
            "versions": [
                "2.33.0"
            ],
            "sha256": "aedb173dfc5c586ad97943eb6241c3a4b08ff848e621f0dbad22dfbd728a5aa4",
            "id": "pypi/2026-03-pipipipi/requests-testik111",
            "import_time": "2026-03-26T21:44:48.192904322Z",
            "modified_time": "2026-03-26T21:35:07.694582Z",
            "source": "kam193"
        },
        {
            "versions": [
                "2.33.0"
            ],
            "sha256": "c3a80dffc6678a63f50a766f83d379e3350500d84e36d2b9fddd49b7edde7810",
            "id": "pypi/2026-03-pipipipi/requests-testik111",
            "import_time": "2026-03-27T16:49:37.678654975Z",
            "modified_time": "2026-03-26T21:35:07.694582Z",
            "source": "kam193"
        },
        {
            "versions": [
                "2.33.0"
            ],
            "sha256": "72561775d8d7a7c1e47c83f2a7e13ed9eeb776d05ca6924cfcceaca7cad0cfef",
            "id": "pypi/2026-03-pipipipi/requests-testik111",
            "import_time": "2026-03-27T17:22:28.88257537Z",
            "modified_time": "2026-03-26T21:35:07.694582Z",
            "source": "kam193"
        }
    ]
}

References

https://bad-packages.kam193.eu/pypi/package/requests-testik111

Credits

- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/

Affected packages

PyPI / requests-testik111

Package

Name: requests-testik111; View open source insights on deps.dev
Purl: pkg:pypi/requests-testik111

Affected ranges

Affected versions

2.*

2.33.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/requests-testik111/MAL-2026-2245.json"