MAL-2026-933

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/pywin-simple-gui/MAL-2026-933.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-933
Published
2026-02-17T23:14:17Z
Modified
2026-02-17T23:48:30.074797Z
Summary
Malicious code in pywin-simple-gui (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (43b40c0dbbbc187822a28a401194873adc73d13e531f2789c4227374f7ec9e26)

The package pretends to be a development helper but, in fact, downloads a remote executable. Dynamic analysis reveals actions like disabling Windows Defender and interest in cryptocurrencies as well as using Telegram as C2.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-02-pywin-simple-gui

Reasons (based on the campaign):

  • impersonation

  • Downloads and executes a remote executable.

  • modify-system-without-consent

  • crypto-related

Database specific 
{
    "iocs": {
        "domains": [
            "loejfrw2.ignorelist.com"
        ],
        "urls": [
            "http://loejfrw2.ignorelist.com/opt/adm/lct/util32X.exe",
            "http://loejfrw2.ignorelist.com/opt/adm/lct/Mont.txt"
        ]
    },
    "malicious-packages-origins": [
        {
            "import_time": "2026-02-17T23:43:33.858164494Z",
            "modified_time": "2026-02-17T23:14:17.43781Z",
            "id": "pypi/2026-02-pywin-simple-gui/pywin-simple-gui",
            "sha256": "43b40c0dbbbc187822a28a401194873adc73d13e531f2789c4227374f7ec9e26",
            "source": "kam193",
            "versions": [
                "1.0.0"
            ]
        }
    ]
}
References
Credits

Affected packages

PyPI / pywin-simple-gui

Package

Name
pywin-simple-gui
View open source insights on deps.dev
Purl
pkg:pypi/pywin-simple-gui

Affected ranges

Affected versions

1.*
1.0.0

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/pywin-simple-gui/MAL-2026-933.json"