{"id":"MAL-2024-11741","summary":"Malicious code in useregent-generator (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (f0c8bbc66c2a8384b2a35340f4e3204351fbeb78d88a11bec270f8e3e52b5636)\nInside the library there is a part running code hidden in the attached image, which then exfiltrate user-provided data, downloads and install next stage code, exfiltrate TXT files and finally installs infostealers - Lumma and a custom one. Arround L110\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2024-10-fake-usreagent\n\n\nReasons (based on the campaign):\n\n\n - infostealer\n\n\n - files-exfiltration\n\n\n - clipboard-stealing\n\n\n - obfuscation\n\n\n - clones-real-package\n\n\n - action-hidden-in-lib-usage\n","modified":"2026-03-19T12:58:01.295777Z","published":"2024-10-07T22:16:18Z","database_specific":{"malicious-packages-origins":[{"versions":["1.6.5"],"source":"reversing-labs","sha256":"1dc2a3f3e1dfda0cca42b2a0d5dd9f5f89c9f62f98225049dcc25db6ca079336","modified_time":"2024-12-09T06:51:25Z","import_time":"2024-12-09T14:38:50.765508127Z","id":"RLMA-2024-11202"},{"source":"kam193","sha256":"86aca124212af00c9576471eba0b3842cdeab589089ccada90890b283400d465","modified_time":"2024-10-07T22:16:18Z","import_time":"2025-12-02T22:30:55.696387646Z","id":"pypi/2024-10-fake-usreagent/useregent-generator","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}]},{"source":"kam193","sha256":"f0c8bbc66c2a8384b2a35340f4e3204351fbeb78d88a11bec270f8e3e52b5636","modified_time":"2024-10-07T22:16:18Z","import_time":"2025-12-02T23:07:18.741749134Z","id":"pypi/2024-10-fake-usreagent/useregent-generator","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}]},{"versions":["1.6.5"],"source":"kam193","sha256":"55e728d0612d4dbdba8f0dbd916f3fdc2f617652af191d024bef18036ce3366c","modified_time":"2024-10-07T22:16:18Z","import_time":"2025-12-10T21:38:57.916514307Z","id":"pypi/2024-10-fake-usreagent/useregent-generator"},{"source":"reversing-labs","sha256":"115547d162414af6a7357adfe733e0e795f3f345b506119ff5e59082324d09bf","modified_time":"2026-03-18T12:20:03Z","import_time":"2026-03-19T12:20:39.27387197Z","id":"RLUA-2026-00877"}],"iocs":{"domains":["ethscanold.com","crypto-api.net"],"urls":["https://ethscanold.com/ex_ewq1/2e.exe","https://ethscanold.com/ex_ewq1/cdr2.exe","https://ethscanold.com/r.php"]}},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/useregent-generator"}],"affected":[{"package":{"name":"useregent-generator","ecosystem":"PyPI","purl":"pkg:pypi/useregent-generator"},"versions":["1.6.5"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/useregent-generator/MAL-2024-11741.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}