MAL-2026-2309

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/zzzzthisisitwantsafecheckitzzzz/MAL-2026-2309.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-2309

Published

2026-03-31T03:35:47Z

Modified

2026-03-31T05:34:31.371012Z

Summary

Malicious code in zzzzthisisitwantsafecheckitzzzz (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (fbef17827bf88f06c2278d700e386c98e2f1360fd533ba1415c9060ff56a037f)

During installation, if run under a specific username, the package downloads and installs two executables identified as backdoors trojans.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-03-thisismytest123

Reasons (based on the campaign):

Downloads and executes a remote executable.
backdoor
malware

Source: ossf-package-analysis (517f20d2093597e92a397fc04e64a0bf27ba6ce0ca20799cba922a76133594fe)

The OpenSSF Package Analysis project identified 'zzzzthisisitwantsafecheckitzzzz' @ 1.0.0 (pypi) as malicious.

It is considered malicious because:

The package executes one or more commands associated with malicious behavior.

Database specific

{
    "malicious-packages-origins": [
        {
            "import_time": "2026-03-31T04:23:27.463708557Z",
            "source": "ossf-package-analysis",
            "versions": [
                "1.0.0"
            ],
            "modified_time": "2026-03-31T03:35:47Z",
            "sha256": "517f20d2093597e92a397fc04e64a0bf27ba6ce0ca20799cba922a76133594fe"
        },
        {
            "id": "pypi/2026-03-thisismytest123/zzzzthisisitwantsafecheckitzzzz",
            "import_time": "2026-03-31T05:17:28.540293509Z",
            "source": "kam193",
            "versions": [
                "1.0.0"
            ],
            "modified_time": "2026-03-31T04:11:30.046711Z",
            "sha256": "fbef17827bf88f06c2278d700e386c98e2f1360fd533ba1415c9060ff56a037f"
        }
    ],
    "iocs": {
        "urls": [
            "http://8.217.174.149:8888/supershell/compile/download/java",
            "https://shim.oss-cn-hongkong.aliyuncs.com/shim",
            "https://shim.oss-cn-hongkong.aliyuncs.com/shim.conf"
        ]
    }
}

References

Credits

- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- OpenSSF: Package Analysis - FINDER
- - https://github.com/ossf/package-analysis
  - https://openssf.slack.com/channels/package_analysis

Affected packages

PyPI / zzzzthisisitwantsafecheckitzzzz

Package

Name: zzzzthisisitwantsafecheckitzzzz; View open source insights on deps.dev
Purl: pkg:pypi/zzzzthisisitwantsafecheckitzzzz

Affected ranges

Affected versions

1.*

1.0.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/zzzzthisisitwantsafecheckitzzzz/MAL-2026-2309.json"