-= Per source details. Do not edit below this line.=-
Packages contain hidden code that is effectively run during importing or using the library, and downloads second stage code. Then, a process running in background periodically connects to a remote host and waits for next code to execute
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2025-11-spellcheckers
Reasons (based on the campaign):
obfuscation
Downloads and executes a remote malicious script.
The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.
{
"iocs": {
"domains": [
"dothebest.store",
"searchbox.info",
"updatenet.work"
],
"urls": [
"https://dothebest.store/allow/inform.php",
"https://dothebest.store/refresh.php",
"https://searchbox.info/prefer.php",
"https://updatenet.work/settings/history.php",
"https://dothebest.store/allow"
]
},
"malicious-packages-origins": [
{
"versions": [
"1.0.1"
],
"modified_time": "2026-01-28T07:42:32.283211Z",
"sha256": "499d47c3064299cb3d921b32ac9f22c2bab7b0b841b3de3a0cee3029625d5d26",
"id": "pypi/2025-11-spellcheckers/tabullates",
"source": "kam193",
"import_time": "2026-01-28T08:10:46.453455711Z"
},
{
"versions": [
"1.0.1",
"1.0.2"
],
"modified_time": "2026-01-28T09:03:09.192995Z",
"sha256": "f5af0290d2ad9a879ef3624e8cca4bec9095fdb44db0282b226e13ea50ff92bd",
"id": "pypi/2025-11-spellcheckers/tabullates",
"source": "kam193",
"import_time": "2026-01-28T09:46:09.164774837Z"
},
{
"versions": [
"1.0.1",
"1.0.2",
"1.0.3"
],
"modified_time": "2026-01-28T11:09:45.671528Z",
"sha256": "65716e7bcfa81eb62800794a53ce1f01c6593e89a016b3d30f7803e3107036c4",
"id": "pypi/2025-11-spellcheckers/tabullates",
"source": "kam193",
"import_time": "2026-01-28T11:39:32.809136179Z"
},
{
"versions": [
"1.0.1",
"1.0.2",
"1.0.3",
"1.0.4"
],
"modified_time": "2026-01-28T13:24:12.682678Z",
"sha256": "6af1b6872fcae12cc1651e6981265f929ab2532437971cb983876a9ae6e01aaf",
"id": "pypi/2025-11-spellcheckers/tabullates",
"source": "kam193",
"import_time": "2026-01-28T13:49:01.828657965Z"
},
{
"versions": [
"1.0.1",
"1.0.2",
"1.0.3",
"1.0.4"
],
"modified_time": "2026-01-28T13:24:12.682678Z",
"sha256": "8a340ee49ae80adf9f248ab7d565ff184ce2b93466a522ba91c321a9fe1c7a8f",
"id": "pypi/2025-11-spellcheckers/tabullates",
"source": "kam193",
"import_time": "2026-01-28T19:11:43.706788748Z"
},
{
"versions": [
"1.0.1",
"1.0.2",
"1.0.3",
"1.0.4"
],
"modified_time": "2026-01-28T13:24:12.682678Z",
"sha256": "7fdbcc76dc779d82632d7bfa1643843861e17cb03839382640c68637b61627ff",
"id": "pypi/2025-11-spellcheckers/tabullates",
"source": "kam193",
"import_time": "2026-03-11T10:47:48.538928009Z"
}
]
}