{"id":"MAL-2024-9962","summary":"Malicious code in colorbytes (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (aa4677648d784f5460e80091c656719fc082e6ed9028940b407c97b0e78ff008)\nExtremely obfuscated code starts when importing the module, and then downloads the next stages and configuration from pastebin. They include a whole range of infostealer activity, from exfiltrating browser files up to a keylogger and registering mouse clicks.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2024-08-old-colorbytes\n\n\nReasons (based on the campaign):\n\n\n - obfuscation\n\n\n - Downloads and executes a remote executable.\n\n\n - crypto-related\n\n\n - infostealer\n","modified":"2026-03-19T12:51:50.640396Z","published":"2024-09-08T17:47:46Z","database_specific":{"iocs":{"urls":["https://pastebin.com/raw/mWyKKzeT","https://pastebin.com/raw/gwC6eetW","https://pastebin.com/raw/cbjzwued","https://pastebin.com/raw/PXPtuhz3","https://pastebin.com/raw/KV3GS6Js"]},"malicious-packages-origins":[{"sha256":"8a56539943a10b763ff4f1bc5a62dc4362fc4715f21e728c9c033e29ae5a11fb","versions":["1.0.0","1.0.1"],"modified_time":"2024-10-16T14:38:27Z","id":"RLMA-2024-08018","source":"reversing-labs","import_time":"2024-10-24T00:56:54.952412123Z"},{"sha256":"d93e7f301249423b016f93f47615a5a403640cc069c10e29630dad381adacf2e","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"modified_time":"2024-09-08T17:47:46Z","id":"pypi/2024-08-old-colorbytes/colorbytes","source":"kam193","import_time":"2025-12-02T22:30:55.060196293Z"},{"sha256":"aa4677648d784f5460e80091c656719fc082e6ed9028940b407c97b0e78ff008","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"modified_time":"2024-09-08T17:47:46Z","id":"pypi/2024-08-old-colorbytes/colorbytes","source":"kam193","import_time":"2025-12-02T23:07:18.070087079Z"},{"sha256":"f450925ef3e67dbcddad18020f2d442ac8732fdd79d84a4ef60eb15d5091aaf9","versions":["1.0.1","1.0.0"],"modified_time":"2024-09-08T17:47:46Z","id":"pypi/2024-08-old-colorbytes/colorbytes","source":"kam193","import_time":"2025-12-10T21:38:57.362029889Z"},{"sha256":"157a22714107b31e25dc43e11905d416f8417e77fc8bd3fb52943840d74e2fd7","versions":["1.0.0","1.0.1"],"modified_time":"2024-09-08T17:47:46Z","id":"pypi/2024-08-old-colorbytes/colorbytes","source":"kam193","import_time":"2025-12-30T22:39:04.057731748Z"},{"sha256":"d0cc09f53bce466ffe28a700f8b7816355f51f603022a18dec203e3c7051c0c5","modified_time":"2026-03-18T12:12:42Z","id":"RLUA-2026-00212","source":"reversing-labs","import_time":"2026-03-19T12:19:35.151600899Z"}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/colorbytes"}],"affected":[{"package":{"name":"colorbytes","ecosystem":"PyPI","purl":"pkg:pypi/colorbytes"},"versions":["1.0.0","1.0.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/colorbytes/MAL-2024-9962.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"ANALYST"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}