{"id":"MAL-2024-10106","summary":"Malicious code in popeye-xyz (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (583bf7b6e6437de01c7cb0cf1793e661cb0e344ba8a2235ecebc18a9bfd50a75)\n---\n\nCategory: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.\n\n\nCampaign: 2024-01-moye-moye\n\n\nReasons (based on the campaign):\n\n\n - exfiltration-ssh-keys\n\n\n - exfiltration-env-variables\n\n\n - The package overrides the install command in setup.py to execute malicious code during installation.\n","modified":"2026-03-19T12:55:16.052635Z","published":"2024-07-22T20:38:38Z","database_specific":{"malicious-packages-origins":[{"source":"reversing-labs","id":"RLMA-2024-08771","import_time":"2024-10-24T00:57:04.811006585Z","sha256":"f404c50ebff2e57f810c1cc3a599833e8be988537b95493ebaa3ea814ec38baa","versions":["1.0.4"],"modified_time":"2024-10-16T14:46:18Z"},{"sha256":"0bc2eec7320b22034410553eade32e6bccc13c48fe113a327b786162e9779201","id":"pypi/2024-01-moye-moye/popeye-xyz","import_time":"2025-12-02T22:30:56.306591984Z","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"source":"kam193","modified_time":"2024-07-22T20:38:38Z"},{"sha256":"583bf7b6e6437de01c7cb0cf1793e661cb0e344ba8a2235ecebc18a9bfd50a75","id":"pypi/2024-01-moye-moye/popeye-xyz","import_time":"2025-12-02T23:07:19.495133019Z","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"source":"kam193","modified_time":"2024-07-22T20:38:38Z"},{"source":"kam193","id":"pypi/2024-01-moye-moye/popeye-xyz","import_time":"2025-12-10T21:38:58.609052347Z","sha256":"1918134ca56ca1e6aeec18abb5cc6b7905809dab37df47f960118fa0daab23c5","versions":["1.0.4"],"modified_time":"2024-07-22T20:38:38Z"},{"source":"reversing-labs","id":"RLUA-2026-00600","import_time":"2026-03-19T12:20:12.952227822Z","sha256":"b7bc750edca00cff59ec5d72b325e28a475be39b4de0f9151f393b43894209a1","modified_time":"2026-03-18T12:17:04Z"}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/popeye-xyz"}],"affected":[{"package":{"name":"popeye-xyz","ecosystem":"PyPI","purl":"pkg:pypi/popeye-xyz"},"versions":["1.0.4"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/popeye-xyz/MAL-2024-10106.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"ANALYST"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}