{"id":"MAL-2024-11705","summary":"Malicious code in setuptolos (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (89f6c10eb8edc13e9f46c33bba334822fbb3693527f3fc89714bd86adc3be1af)\nDuring installation, a cryptominer is secretly installed and started.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2024-09-bondonioanderas-cryptominer\n\n\nReasons (based on the campaign):\n\n\n - cryptominer\n\n\n - The package overrides the install command in setup.py to execute malicious code during installation.\n\n\n - obfuscation\n","modified":"2026-03-19T12:56:56.662334Z","published":"2024-09-20T11:29:31Z","database_specific":{"iocs":{"urls":["https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/setup_moneroocean_miner.sh"]},"malicious-packages-origins":[{"import_time":"2024-12-09T14:38:48.968351313Z","source":"reversing-labs","modified_time":"2024-12-09T06:51:09Z","sha256":"a25eb21a3c429a167cb3c50e372745257ebfdf61ae7f503bf947ffdf8601e08e","versions":["0.1"],"id":"RLMA-2024-11163"},{"source":"kam193","sha256":"ade75be64ec274cc6c6769e08e0e7fa010b7307afeb703c9285c5a1541f31f13","modified_time":"2024-09-20T11:29:31Z","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"import_time":"2025-12-02T22:30:55.572051127Z","id":"pypi/2024-09-bondonioanderas-cryptominer/setuptolos"},{"source":"kam193","sha256":"89f6c10eb8edc13e9f46c33bba334822fbb3693527f3fc89714bd86adc3be1af","modified_time":"2024-09-20T11:29:31Z","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"import_time":"2025-12-02T23:07:18.613883834Z","id":"pypi/2024-09-bondonioanderas-cryptominer/setuptolos"},{"import_time":"2025-12-10T21:38:57.81407993Z","source":"kam193","modified_time":"2024-09-20T11:29:31Z","sha256":"425a60f65a70798439baa6844f9ceb51e9f1d2881a7a5992a4fd56d9faf1323f","versions":["0.1"],"id":"pypi/2024-09-bondonioanderas-cryptominer/setuptolos"},{"source":"reversing-labs","modified_time":"2026-03-18T12:18:46Z","sha256":"f83afe9d0289348582512e918db208efeccacf65f5a91b3e356ece01a9cad5ad","import_time":"2026-03-19T12:20:27.204086469Z","id":"RLUA-2026-00754"}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/setuptolos"}],"affected":[{"package":{"name":"setuptolos","ecosystem":"PyPI","purl":"pkg:pypi/setuptolos"},"versions":["0.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/setuptolos/MAL-2024-11705.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"ANALYST"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}