MAL-2026-492

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/tableates/MAL-2026-492.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-492
Published
2026-01-23T13:57:05Z
Modified
2026-03-19T12:57:13.107911Z
Summary
Malicious code in tableates (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (c69d9a3e244227f4e4146b60829ead907656c47989b3b83e1e5f56a2c06064ff)

Packages contain hidden code that is effectively run during importing or using the library, and downloads second stage code. Then, a process running in background periodically connects to a remote host and waits for next code to execute


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-11-spellcheckers

Reasons (based on the campaign):

  • obfuscation

  • Downloads and executes a remote malicious script.

  • The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "1.0.3",
                "1.0.4",
                "1.0.5"
            ],
            "sha256": "c69d9a3e244227f4e4146b60829ead907656c47989b3b83e1e5f56a2c06064ff",
            "modified_time": "2026-01-23T13:57:05.835738Z",
            "source": "kam193",
            "id": "pypi/2025-11-spellcheckers/tableates",
            "import_time": "2026-01-23T14:43:12.199478853Z"
        },
        {
            "versions": [
                "1.0.3",
                "1.0.4",
                "1.0.5"
            ],
            "sha256": "5a8919788006840612f4bfd881d7fdf82ca62a2dd06118ee99f95f1e4b58d4e4",
            "modified_time": "2026-01-23T14:57:05.807792Z",
            "source": "kam193",
            "id": "pypi/2025-11-spellcheckers/tableates",
            "import_time": "2026-01-23T15:42:03.010165456Z"
        },
        {
            "versions": [
                "1.0.3",
                "1.0.4",
                "1.0.5",
                "1.0.6"
            ],
            "sha256": "86d83c5da161b2b46a739b6aa32c4c53f00a83005d767ce5fbab1ef9e796eb23",
            "modified_time": "2026-01-26T09:11:02.940746Z",
            "source": "kam193",
            "id": "pypi/2025-11-spellcheckers/tableates",
            "import_time": "2026-01-26T09:46:20.474369254Z"
        },
        {
            "versions": [
                "1.0.3",
                "1.0.4",
                "1.0.5",
                "1.0.6"
            ],
            "sha256": "32af1b264b13fe7b0871495d3893aa755750bb3295157df3893053e12bb69332",
            "modified_time": "2026-01-26T09:11:02.940746Z",
            "source": "kam193",
            "id": "pypi/2025-11-spellcheckers/tableates",
            "import_time": "2026-01-27T18:48:13.392410199Z"
        },
        {
            "versions": [
                "1.0.3",
                "1.0.4",
                "1.0.5",
                "1.0.6"
            ],
            "sha256": "a2e615bd9e46250348c3f1a6e688fede60bc297ba28cd13b1b0043f4e1e144f0",
            "modified_time": "2026-01-26T09:11:02.940746Z",
            "source": "kam193",
            "id": "pypi/2025-11-spellcheckers/tableates",
            "import_time": "2026-01-28T19:11:43.703188948Z"
        },
        {
            "versions": [
                "1.0.3",
                "1.0.4",
                "1.0.5",
                "1.0.6"
            ],
            "sha256": "ce121c5b26cc5d9b73c0fda2ed81ad594b6af77ff4943990f6edda3d3f46f906",
            "modified_time": "2026-01-26T09:11:02.940746Z",
            "source": "kam193",
            "id": "pypi/2025-11-spellcheckers/tableates",
            "import_time": "2026-03-11T10:47:48.531126377Z"
        },
        {
            "versions": [
                "1.0.1",
                "1.0.2",
                "1.0.3",
                "1.0.4",
                "1.0.5",
                "1.0.6"
            ],
            "sha256": "56bf81438578d2b6a6b54e86e1214a5b26c09627c0a28fa54e1643afe75aa6a2",
            "modified_time": "2026-03-18T12:19:17Z",
            "source": "reversing-labs",
            "id": "RLMA-2026-00801",
            "import_time": "2026-03-19T12:18:19.963980677Z"
        }
    ],
    "iocs": {
        "urls": [
            "https://dothebest.store/allow/inform.php",
            "https://dothebest.store/refresh.php",
            "https://searchbox.info/prefer.php",
            "https://updatenet.work/settings/history.php"
        ],
        "domains": [
            "dothebest.store",
            "searchbox.info",
            "updatenet.work"
        ]
    }
}
References
Credits

Affected packages

PyPI / tableates

Package

Affected ranges

Affected versions

1.*
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/tableates/MAL-2026-492.json"