{"id":"MAL-2024-5134","summary":"Malicious code in fef3434334dwrg (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (c2b2e5c701437968432a35bd57be234d6c8f6141a3607819413ae3f88fc0101c)\nInstalling the package starts an infostealer\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2023-12-fefeefrrg\n\n\nReasons (based on the campaign):\n\n\n - infostealer\n\n\n - The package overrides the install command in setup.py to execute malicious code during installation.\n\n\n - exfiltration-generic\n\n\n - exfiltration-browser-data\n\n\n - The package contains code to detect if it is running in a sandbox environment.\n","modified":"2026-03-19T12:53:09.753203Z","published":"2024-06-25T13:35:22Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0"],"id":"RLMA-2024-03914","source":"reversing-labs","sha256":"051e562b712ce090e22977f771a61ec5f8e4a5cb0acbe9a3cf768f68b8533f38","import_time":"2024-06-28T02:48:58.114477791Z","modified_time":"2024-06-25T13:35:22Z"},{"modified_time":"2024-10-16T14:41:07Z","id":"RLUA-2024-08270","source":"reversing-labs","sha256":"b43476dd93328c77657d0a9c468ce1bad1942932de862b3be02e9010578c6c82","import_time":"2024-10-24T00:59:11.838386807Z"},{"modified_time":"2024-12-01T17:21:48Z","id":"pypi/2023-12-fefeefrrg/fef3434334dwrg","source":"kam193","sha256":"735b89c55992eb74dbad3a7b3391cb73ba8616e88e5d766406550bd97f85ee2c","import_time":"2025-12-02T22:30:55.1877922Z","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}]},{"modified_time":"2024-12-01T17:21:48Z","id":"pypi/2023-12-fefeefrrg/fef3434334dwrg","source":"kam193","sha256":"c2b2e5c701437968432a35bd57be234d6c8f6141a3607819413ae3f88fc0101c","import_time":"2025-12-02T23:07:18.19628883Z","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}]},{"versions":["1.0"],"id":"pypi/2023-12-fefeefrrg/fef3434334dwrg","source":"kam193","sha256":"d8a9fd884768864bbfb2bc5eeeee3c82b788fe651fd7cb19763f1953d877761f","import_time":"2025-12-10T21:38:57.481146271Z","modified_time":"2024-12-01T17:21:48Z"},{"modified_time":"2026-03-18T12:13:48Z","id":"RLUA-2026-00318","source":"reversing-labs","sha256":"dc3d6324966e27e10d8e7cf9c84c82885998d348bcb517982cc02120cfb39c4a","import_time":"2026-03-19T12:19:45.013971303Z"}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/fef3434334dwrg"}],"affected":[{"package":{"name":"fef3434334dwrg","ecosystem":"PyPI","purl":"pkg:pypi/fef3434334dwrg"},"versions":["1.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/fef3434334dwrg/MAL-2024-5134.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"ANALYST"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}