{"id":"MAL-2025-191535","summary":"Malicious code in tableate (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: google-open-source-security (762292d92c617c287b3c6b54f7c4a8b8630e7dd893b40dd05bade462fec7ca26)\nThis package is malicious and typosquating the legitimate pyspellchecker library.\nThis package will deploy a remote-access trojan that allows the attacker full\ncontrol of the victim's host.\n\n## Source: kam193 (d88deb1f1ae46e472c6b11ee1f67a1625ed092c81dc62ce54491c775e719748e)\nPackages contain hidden code that is effectively run during importing or using the library, and downloads second stage code. Then, a process running in background periodically connects to a remote host and waits for next code to execute\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-11-spellcheckers\n\n\nReasons (based on the campaign):\n\n\n - obfuscation\n\n\n - Downloads and executes a remote malicious script.\n\n\n - The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.\n","modified":"2026-03-19T12:57:14.884097Z","published":"2025-11-25T11:06:37Z","database_specific":{"malicious-packages-origins":[{"sha256":"762292d92c617c287b3c6b54f7c4a8b8630e7dd893b40dd05bade462fec7ca26","import_time":"2025-12-02T00:36:18.917048Z","versions":["0.0.1"],"ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"modified_time":"2025-12-02T00:36:12Z","source":"google-open-source-security"},{"sha256":"5a061ea6461d72dd4412a53643337c4fef3e02cd7ff7670385def8862e016d22","import_time":"2025-12-02T22:30:55.62521246Z","versions":["0.0.1"],"id":"pypi/2025-11-spellcheckers/tableate","modified_time":"2025-11-25T11:06:37.753983Z","source":"kam193"},{"sha256":"d88deb1f1ae46e472c6b11ee1f67a1625ed092c81dc62ce54491c775e719748e","import_time":"2025-12-02T23:07:18.666216152Z","versions":["0.0.1"],"id":"pypi/2025-11-spellcheckers/tableate","modified_time":"2025-11-25T11:06:37.753983Z","source":"kam193"},{"sha256":"09a52dbb7e108b87d36611108fc40cac494849bc6b2e5d01a044e0a2036092e5","import_time":"2025-12-24T10:07:31.475321834Z","versions":["0.0.1"],"id":"RLMA-2025-06594","modified_time":"2025-12-23T08:39:54Z","source":"reversing-labs"},{"sha256":"237281e790d2b288d215f0f5348ad12e77778337a2bef961dd547ae72af43645","import_time":"2026-01-20T19:58:56.114282547Z","versions":["0.0.1"],"id":"pypi/2025-11-spellcheckers/tableate","modified_time":"2025-11-25T11:06:37.753983Z","source":"kam193"},{"sha256":"93febccbf215593704410837cdce5accdad3866b188e7e8bc7884701cf8669ef","import_time":"2026-01-27T18:48:13.391465092Z","versions":["0.0.1"],"id":"pypi/2025-11-spellcheckers/tableate","modified_time":"2025-11-25T11:06:37.753983Z","source":"kam193"},{"sha256":"8d9cb1b34ddf007424089853bea04792d4d0c8fa4008859a035cc5bb6c057641","import_time":"2026-01-28T19:11:43.702142511Z","versions":["0.0.1"],"id":"pypi/2025-11-spellcheckers/tableate","modified_time":"2025-11-25T11:06:37.753983Z","source":"kam193"},{"sha256":"e44c807b69204fc9bbe2f12cf1c547e8ef529850cad7d9db547711c4811c68b7","import_time":"2026-03-11T10:47:48.530085869Z","versions":["0.0.1"],"id":"pypi/2025-11-spellcheckers/tableate","modified_time":"2025-11-25T11:06:37.753983Z","source":"kam193"},{"sha256":"83f253533a75a18c59fc46da473216b199b92863376628c3311710d3fe55686e","import_time":"2026-03-19T12:20:31.797676149Z","id":"RLUA-2026-00800","modified_time":"2026-03-18T12:19:16Z","source":"reversing-labs"}],"iocs":{"urls":["dothebest.store/allow/inform.php","dothebest.store/refresh.php"],"domains":["dothebest.store"]}},"references":[{"type":"REPORT","url":"https://helixguard.ai/blog/malicious-spellcheckers-2025-11-19"},{"type":"REPORT","url":"https://bad-packages.kam193.eu/pypi/campaign/2025-11-spellcheckers/"},{"type":"ARTICLE","url":"https://securityonline.info/pypi-typosquat-delivers-multi-layer-python-rat-bypassing-scanners-with-xor-encryption/"},{"type":"WEB","url":"https://helixguard.ai/blog/malicious-spellcheckers-2025-11-19"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/tableate"},{"type":"WEB","url":"https://www.aikido.dev/blog/malicious-pypi-packages-spellcheckpy-and-spellcheckerpy-deliver-python-rat"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/campaign/2025-11-spellcheckers"},{"type":"WEB","url":"https://securityonline.info/pypi-typosquat-delivers-multi-layer-python-rat-bypassing-scanners-with-xor-encryption"}],"affected":[{"package":{"name":"tableate","ecosystem":"PyPI","purl":"pkg:pypi/tableate"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.0.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/tableate/MAL-2025-191535.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}