{"id":"MAL-2024-10105","summary":"Malicious code in popeye-pip-v3 (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (940ada25d3157d4f88092627a5a8eedb98abf86933890ce13193d4878d2698ee)\n---\n\nCategory: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.\n\n\nCampaign: 2024-01-moye-moye\n\n\nReasons (based on the campaign):\n\n\n - exfiltration-ssh-keys\n\n\n - exfiltration-env-variables\n\n\n - The package overrides the install command in setup.py to execute malicious code during installation.\n","modified":"2026-03-19T12:55:16.364434Z","published":"2024-07-22T20:38:38Z","database_specific":{"malicious-packages-origins":[{"sha256":"a7a9ce4cd94cb5a57ba8a09af77389f3c011f732cee52ebeb951c518de738aca","versions":["1.0.4"],"modified_time":"2024-10-16T14:46:17Z","id":"RLMA-2024-08770","import_time":"2024-10-24T00:57:04.758060633Z","source":"reversing-labs"},{"sha256":"0a4769d7788bb3797b628ce45eaef49bd3beb2bc3e884fbd93c7897a3f5d66fe","modified_time":"2024-07-22T20:38:38Z","id":"pypi/2024-01-moye-moye/popeye-pip-v3","import_time":"2025-12-02T22:30:56.304846542Z","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"source":"kam193"},{"sha256":"940ada25d3157d4f88092627a5a8eedb98abf86933890ce13193d4878d2698ee","modified_time":"2024-07-22T20:38:38Z","id":"pypi/2024-01-moye-moye/popeye-pip-v3","import_time":"2025-12-02T23:07:19.493270711Z","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"source":"kam193"},{"sha256":"9a333a0e0b4d06c09c019715bed11d7861602dea23cf0d0311795076cfb4aae6","versions":["1.0.4"],"modified_time":"2024-07-22T20:38:38Z","id":"pypi/2024-01-moye-moye/popeye-pip-v3","import_time":"2025-12-10T21:38:58.607195046Z","source":"kam193"},{"sha256":"e80b79d472a29b102c5ee1fd26181f352253575d7ebc1badc7df9067ffa4a845","modified_time":"2026-03-18T12:17:04Z","id":"RLUA-2026-00599","import_time":"2026-03-19T12:20:12.866165485Z","source":"reversing-labs"}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/popeye-pip-v3"}],"affected":[{"package":{"name":"popeye-pip-v3","ecosystem":"PyPI","purl":"pkg:pypi/popeye-pip-v3"},"versions":["1.0.4"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/popeye-pip-v3/MAL-2024-10105.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"ANALYST"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}