{"id":"MAL-2024-11575","summary":"Malicious code in dftester-pip (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (2e23c327cc9243e5437e6b31224c6796b90399065b451269641911b1d1982483)\nExample package with overwritten install command and the reverse shell\n\n\n---\n\nCategory: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.\n\n\nCampaign: 2024-11-dftester-pip\n\n\nReasons (based on the campaign):\n\n\n - The package overrides the install command in setup.py to execute malicious code during installation.\n\n\n - The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine.\n","modified":"2026-03-19T12:52:32.217028Z","published":"2024-11-27T17:03:25Z","database_specific":{"iocs":{"urls":["https://raw.githubusercontent.com/0xe2d0/evil-pip/main/scripts/linux.txt","https://raw.githubusercontent.com/0xe2d0/evil-pip/main/scripts/windows.txt"]},"malicious-packages-origins":[{"modified_time":"2024-12-09T06:50:07Z","source":"reversing-labs","sha256":"8370ad2a7375101a6442064130e71846a3243c72a42b5d4686b0d3e18251ba8a","versions":["0.0.1"],"id":"RLMA-2024-11023","import_time":"2024-12-09T14:38:43.119050401Z"},{"modified_time":"2024-11-27T17:03:25Z","sha256":"2ecd5f09f0c86ff90b26880e231db33f48a7e9712c9a90b8cef385b3e746cbe7","import_time":"2025-12-02T22:30:55.994689522Z","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"id":"pypi/2024-11-dftester-pip/dftester-pip","source":"kam193"},{"modified_time":"2024-11-27T17:03:25Z","sha256":"2e23c327cc9243e5437e6b31224c6796b90399065b451269641911b1d1982483","import_time":"2025-12-02T23:07:19.189251796Z","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"id":"pypi/2024-11-dftester-pip/dftester-pip","source":"kam193"},{"modified_time":"2024-11-27T17:03:25Z","source":"kam193","sha256":"46a51890b899cc8b9991886ea11cfe5b01c2e87d3f410224e60ee0021d6b08b9","versions":["0.0.1"],"id":"pypi/2024-11-dftester-pip/dftester-pip","import_time":"2025-12-10T21:38:58.330323796Z"},{"modified_time":"2026-03-18T12:13:13Z","source":"reversing-labs","sha256":"1b3ebb681d19b048e9c3e67fd485cb7f44fa76af6a34f8c34067ab4d9fd081a0","import_time":"2026-03-19T12:19:40.056894288Z","id":"RLUA-2026-00264"}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/dftester-pip"}],"affected":[{"package":{"name":"dftester-pip","ecosystem":"PyPI","purl":"pkg:pypi/dftester-pip"},"versions":["0.0.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/dftester-pip/MAL-2024-11575.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"ANALYST"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}