{"id":"MAL-2024-11564","summary":"Malicious code in crypto-format-checking (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (a95b535a5d579db23cf10d4a9897278238afb3093600235b1f39ddf2cca74600)\nInside the library there is a part running code hidden in the attached image, which then exfiltrate user-provided data, downloads and install next stage code, exfiltrate TXT files and finally installs infostealers - Lumma and a custom one. Arround L110\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2024-10-fake-usreagent\n\n\nReasons (based on the campaign):\n\n\n - infostealer\n\n\n - files-exfiltration\n\n\n - clipboard-stealing\n\n\n - obfuscation\n\n\n - clones-real-package\n\n\n - action-hidden-in-lib-usage\n","modified":"2026-03-19T12:52:07.445442Z","published":"2024-10-07T22:16:18Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2024-12-09T06:50:02Z","sha256":"cb41607036269bb0a1c45971747774c6892126b1c3c80bcfa6a13040a4f95fd9","versions":["1.7.5","1.7.6"],"id":"RLMA-2024-11011","source":"reversing-labs","import_time":"2024-12-09T14:38:42.589325747Z"},{"sha256":"a92a8d306075287f4756fade7ae39f19fe83b1819c22fc93a14ac0138ec5c96d","modified_time":"2024-10-07T22:16:18Z","id":"pypi/2024-10-fake-usreagent/crypto-format-checking","source":"kam193","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"import_time":"2025-12-02T22:30:55.079202631Z"},{"sha256":"a95b535a5d579db23cf10d4a9897278238afb3093600235b1f39ddf2cca74600","modified_time":"2024-10-07T22:16:18Z","id":"pypi/2024-10-fake-usreagent/crypto-format-checking","source":"kam193","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"import_time":"2025-12-02T23:07:18.089303872Z"},{"modified_time":"2024-10-07T22:16:18Z","sha256":"267f2f8f9f1deb4e22e65491feb5819438df12068bfc152174d481bdda85e7b0","versions":["1.7.5","1.7.6"],"id":"pypi/2024-10-fake-usreagent/crypto-format-checking","source":"kam193","import_time":"2025-12-10T21:38:57.381898607Z"},{"sha256":"0a24b017afcfad583f0d8ef4a8da1bd6234f8d224f4ac254f4789c6e9a28d419","modified_time":"2026-03-18T12:12:55Z","id":"RLUA-2026-00233","source":"reversing-labs","import_time":"2026-03-19T12:19:36.904538584Z"}],"iocs":{"domains":["ethscanold.com","crypto-api.net"],"urls":["https://ethscanold.com/ex_ewq1/2e.exe","https://ethscanold.com/ex_ewq1/cdr2.exe","https://ethscanold.com/r.php"]}},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/crypto-format-checking"}],"affected":[{"package":{"name":"crypto-format-checking","ecosystem":"PyPI","purl":"pkg:pypi/crypto-format-checking"},"versions":["1.7.5","1.7.6"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/crypto-format-checking/MAL-2024-11564.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}