{"id":"MAL-2024-9944","summary":"Malicious code in asciidrawing (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (633d53a1b6bcde673f71f2788cc6c268f7eef20552eb7a0dc3f533f6a9a7ad12)\nDuring installation, a Discord webhook is used to exfiltrate basic data. The package seems to attempt impersonating the \"asciidraw\" package (some files and description in setup.py are copied).\n\nThe other package, pdf2doc, as well as time correlation suggests the uploader is related to the 2024-09-bondonioanderas-cryptominer campaign as well.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2024-09-sampleuser123-asciidrawing\n\n\nReasons (based on the campaign):\n\n\n - The package overrides the install command in setup.py to execute malicious code during installation.\n\n\n - \n\n\n - impersonation\n\n\n - The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.\n\n\n - clones-real-package\n\n\n - dependency-confusion\n\n## Source: ossf-package-analysis (2dd9ac0d2ef9e9bb84011c475ec24faabed0759dfceb9385fc5904e42f045029)\nThe OpenSSF Package Analysis project identified 'asciidrawing' @ 0.1.2 (pypi) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n","modified":"2025-12-12T20:35:35.068017Z","published":"2024-09-20T10:55:48Z","database_specific":{"malicious-packages-origins":[{"versions":["0.1.1","0.1.2"],"sha256":"24cf3acf1b2bea67c15883ad235855bc9cb0687b5e61819c83ac73c5e0a6f3ac","id":"RLMA-2024-07834","import_time":"2024-10-24T00:56:53.525725666Z","source":"reversing-labs","modified_time":"2024-10-16T14:36:30Z"},{"versions":["0.1.2"],"sha256":"2dd9ac0d2ef9e9bb84011c475ec24faabed0759dfceb9385fc5904e42f045029","import_time":"2025-02-10T05:35:46.793224951Z","source":"ossf-package-analysis","modified_time":"2024-09-20T10:55:48Z"},{"sha256":"d2a9162ee0759b5f5b7e19384bd2b1f13aa36214797e4a099d6960ea0da4f7a7","id":"pypi/2024-09-sampleuser123-asciidrawing/asciidrawing","import_time":"2025-12-02T22:30:54.94194375Z","source":"kam193","modified_time":"2024-09-20T11:42:29Z","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}]},{"sha256":"633d53a1b6bcde673f71f2788cc6c268f7eef20552eb7a0dc3f533f6a9a7ad12","id":"pypi/2024-09-sampleuser123-asciidrawing/asciidrawing","import_time":"2025-12-02T23:07:17.981260308Z","source":"kam193","modified_time":"2024-09-20T11:42:29Z","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}]},{"versions":["0.1.2"],"sha256":"4a33f450171fccce762c65b1ed1296012b4dbdf92c1507c5ad07957c43ca7d50","id":"pypi/2024-09-sampleuser123-asciidrawing/asciidrawing","import_time":"2025-12-10T21:38:57.286766663Z","source":"kam193","modified_time":"2024-09-20T11:42:29Z"}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/asciidrawing"}],"affected":[{"package":{"name":"asciidrawing","ecosystem":"PyPI","purl":"pkg:pypi/asciidrawing"},"versions":["0.1.1","0.1.2"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/asciidrawing/MAL-2024-9944.json"}}],"schema_version":"1.7.3","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}