{"id":"MAL-2024-12249","summary":"Malicious code in companyx-metaflow (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (ec7089679a9c5637609b94cb606e78aa693a8bd224ba334ca46b3f48c54169c1)\nInstalling the package or importing the module exfiltrates basic information about the host, and the package has no other purpose.\n\n\n---\n\nCategory: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.\n\n\nCampaign: GENERIC-standard-pypi-install-pentest\n\n\nReasons (based on the campaign):\n\n\n - The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.\n\n\n - The package overrides the install command in setup.py to execute malicious code during installation.\n","modified":"2025-12-31T02:52:57.259829Z","published":"2024-07-26T16:53:30Z","database_specific":{"malicious-packages-origins":[{"id":"pypi/GENERIC-standard-pypi-install-pentest/companyx-metaflow","modified_time":"2024-07-26T16:53:30Z","source":"kam193","import_time":"2025-12-02T22:30:55.956389606Z","sha256":"0c9a6871a94f3a786cd5c59bab28c12b704777621b938606444f40dedc86def0","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}]},{"id":"pypi/GENERIC-standard-pypi-install-pentest/companyx-metaflow","modified_time":"2024-07-26T16:53:30Z","source":"kam193","import_time":"2025-12-02T23:07:19.145422268Z","sha256":"ec7089679a9c5637609b94cb606e78aa693a8bd224ba334ca46b3f48c54169c1","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}]},{"id":"pypi/GENERIC-standard-pypi-install-pentest/companyx-metaflow","versions":["0.0.1","0.0.3","0.0.2","0.0.4","0.0.5"],"modified_time":"2024-07-26T16:53:30Z","source":"kam193","import_time":"2025-12-10T21:38:58.284594506Z","sha256":"747e53b9a28e5a41c8b6107eeb5e20ec56bfd37dbb5d44da6f2fae2f928b5256"},{"id":"pypi/GENERIC-standard-pypi-install-pentest/companyx-metaflow","versions":["0.0.1","0.0.2","0.0.3","0.0.4","0.0.5"],"modified_time":"2024-07-26T16:53:30Z","source":"kam193","import_time":"2025-12-30T22:39:04.276795679Z","sha256":"f56cf47a752be1887a9f15ecbb494ea28a7609d70474433d0a43f55c9df4b6f6"}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/companyx-metaflow"}],"affected":[{"package":{"name":"companyx-metaflow","ecosystem":"PyPI","purl":"pkg:pypi/companyx-metaflow"},"versions":["0.0.1","0.0.3","0.0.2","0.0.4","0.0.5"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/companyx-metaflow/MAL-2024-12249.json"}}],"schema_version":"1.7.3","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}