{"id":"MAL-2024-11566","summary":"Malicious code in crypto-regex-gener (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (3236b2ded0bd62e3958fa1c6257142248c46b75e64cdd0a90edd82ffba869335)\nInside the library there is a part running code hidden in the attached image, which then exfiltrate user-provided data, downloads and install next stage code, exfiltrate TXT files and finally installs infostealers - Lumma and a custom one. Arround L110\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2024-10-fake-usreagent\n\n\nReasons (based on the campaign):\n\n\n - infostealer\n\n\n - files-exfiltration\n\n\n - clipboard-stealing\n\n\n - obfuscation\n\n\n - clones-real-package\n\n\n - action-hidden-in-lib-usage\n","modified":"2026-03-19T12:52:15.938320Z","published":"2024-10-07T22:16:18Z","database_specific":{"malicious-packages-origins":[{"source":"reversing-labs","id":"RLMA-2024-11013","modified_time":"2024-12-09T06:50:03Z","sha256":"c6c8d5ed2fccb8bce245bd40c0956009cdccbea530e9d12a21fb214f4be94b1e","versions":["1.6.7"],"import_time":"2024-12-09T14:38:42.680651425Z"},{"source":"kam193","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"id":"pypi/2024-10-fake-usreagent/crypto-regex-gener","sha256":"7b87036e2d651df6844b1392a61121fd20a160b9703968a98f2bb77f44ce9145","modified_time":"2024-10-07T22:16:18Z","import_time":"2025-12-02T22:30:55.080805679Z"},{"source":"kam193","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"id":"pypi/2024-10-fake-usreagent/crypto-regex-gener","sha256":"3236b2ded0bd62e3958fa1c6257142248c46b75e64cdd0a90edd82ffba869335","modified_time":"2024-10-07T22:16:18Z","import_time":"2025-12-02T23:07:18.090974319Z"},{"source":"kam193","id":"pypi/2024-10-fake-usreagent/crypto-regex-gener","modified_time":"2024-10-07T22:16:18Z","sha256":"29f4454f6af62abab79258aef4ae31846bdb1cd4698c8ba0d64be73de296565c","versions":["1.6.7"],"import_time":"2025-12-10T21:38:57.383815651Z"},{"source":"reversing-labs","id":"RLUA-2026-00235","sha256":"cba07e5db363d72988a90c8b21197d771a3af51b21eb1e03c0e90f929974c55e","modified_time":"2026-03-18T12:12:56Z","import_time":"2026-03-19T12:19:37.117595954Z"}],"iocs":{"domains":["ethscanold.com","crypto-api.net"],"urls":["https://ethscanold.com/ex_ewq1/2e.exe","https://ethscanold.com/ex_ewq1/cdr2.exe","https://ethscanold.com/r.php"]}},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/crypto-regex-gener"}],"affected":[{"package":{"name":"crypto-regex-gener","ecosystem":"PyPI","purl":"pkg:pypi/crypto-regex-gener"},"versions":["1.6.7"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/crypto-regex-gener/MAL-2024-11566.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}