{"id":"MAL-2024-11686","summary":"Malicious code in pyutiltool (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (33b1b5a9f2482626b8ff1dc21fbf8da61082231e20f1b87060ab133957ce634f)\nWhen importing the module and a specific file exists in the current directory, obfuscated code downloads and starts the next stage of obfuscated code (cstealer infostealer)\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2024-10-pyutiltool \n\n\nReasons (based on the campaign):\n\n\n - infostealer\n\n\n - obfuscation\n\n\n - infostealer:cstealer\n","modified":"2026-03-19T12:56:02.587161Z","published":"2024-10-03T16:34:31Z","database_specific":{"malicious-packages-origins":[{"import_time":"2024-12-09T14:38:48.204877397Z","id":"RLMA-2024-11143","source":"reversing-labs","versions":["3.5"],"modified_time":"2024-12-09T06:50:59Z","sha256":"3150e13656a8c745a109aaa2b3335a91344163c2b404eca84e00cafa84a69e6b"},{"import_time":"2025-12-02T22:30:55.510701396Z","id":"pypi/2024-10-pyutiltool/pyutiltool","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"source":"kam193","modified_time":"2024-10-03T16:34:31Z","sha256":"96c38386dcfd78ea5406622fc68853bcc4930be10f9b1b0f57af6035f51ec4cf"},{"import_time":"2025-12-02T23:07:18.536460887Z","id":"pypi/2024-10-pyutiltool/pyutiltool","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"source":"kam193","modified_time":"2024-10-03T16:34:31Z","sha256":"33b1b5a9f2482626b8ff1dc21fbf8da61082231e20f1b87060ab133957ce634f"},{"import_time":"2025-12-10T21:38:57.755937563Z","id":"pypi/2024-10-pyutiltool/pyutiltool","source":"kam193","versions":["3.5"],"modified_time":"2024-10-03T16:34:31Z","sha256":"3b212bc09ee1ae3ff6347f8b1413ba7d4d0192b110cfc6f4dc6a97b89b46c304"},{"import_time":"2026-03-19T12:20:19.390195027Z","id":"RLUA-2026-00674","source":"reversing-labs","modified_time":"2026-03-18T12:17:53Z","sha256":"d79de5b129e8422486733bf10ecc2f118919fe140809bef940240914ab0f7cfa"}],"iocs":{"urls":["https://blockatlaspro.com/application.py","https://blockatlaspro.com/test.py"],"domains":["blockatlaspro.com"]}},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/pyutiltool"}],"affected":[{"package":{"name":"pyutiltool","ecosystem":"PyPI","purl":"pkg:pypi/pyutiltool"},"versions":["3.5"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/pyutiltool/MAL-2024-11686.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}