{"id":"MAL-2025-191640","summary":"Malicious code in install-all-setup (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (519885ab1e79055139dd279d8e9bf603b4f1d0c0f3f6d3c90231c934f26bbb60)\nPackage downloads and runs an obfuscated bat file, which executes malicious activity according to VirusTotal results.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-10-windowsrequir\n\n\nReasons (based on the campaign):\n\n\n - impersonation\n\n\n - Downloads and executes a remote malicious script.\n\n\n - malware\n","modified":"2026-03-19T12:54:07.769971Z","published":"2025-10-29T21:52:42Z","database_specific":{"malicious-packages-origins":[{"source":"reversing-labs","sha256":"e82ea3bfe177e3a52180f82acba72f98c9b10f04e97ea0ae8dc74d1c004ca45d","id":"RLMA-2025-05609","modified_time":"2025-12-01T12:54:30Z","versions":["0.1.0"],"import_time":"2025-12-02T09:09:37.720137174Z"},{"source":"kam193","sha256":"03401206aa55bda1cc26afad6203380a749c97da2240e9569300d7e521a8d91a","id":"pypi/2025-10-windowsrequir/install-all-setup","modified_time":"2025-10-29T21:52:42.690983Z","versions":["0.1.1","0.1.0"],"import_time":"2025-12-02T22:30:55.275123728Z"},{"source":"kam193","sha256":"519885ab1e79055139dd279d8e9bf603b4f1d0c0f3f6d3c90231c934f26bbb60","id":"pypi/2025-10-windowsrequir/install-all-setup","modified_time":"2025-10-29T21:52:42.690983Z","versions":["0.1.1","0.1.0"],"import_time":"2025-12-02T23:07:18.299427363Z"},{"source":"kam193","sha256":"e8a9d972780917c906493881066e1cc7bce18f30732f1b8e8b65b708630fdb0d","id":"pypi/2025-10-windowsrequir/install-all-setup","modified_time":"2025-10-29T21:52:42.690983Z","versions":["0.1.0","0.1.1"],"import_time":"2025-12-30T22:39:04.105666566Z"},{"source":"reversing-labs","sha256":"52619318269cf4f857dcfb1bbd7003ad52d53fea1cd7e7b74fd0271eb961366e","id":"RLUA-2026-00426","modified_time":"2026-03-18T12:15:04Z","versions":["0.1.1"],"import_time":"2026-03-19T12:19:55.008139043Z"}],"iocs":{"domains":["stellar-conquest.fr"],"urls":["http://stellar-conquest.fr/launcher.bat"]}},"references":[{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/7b54915ac4e6d820bec7782cb02adb0d9ef7a3e9532a7e45d9e29bb220f3d079/detection"},{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/ac5ce135f96d67e8cc61887a9343468f72cd034af266ae65da2d5f1797ca28e7/detection"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/install-all-setup"}],"affected":[{"package":{"name":"install-all-setup","ecosystem":"PyPI","purl":"pkg:pypi/install-all-setup"},"versions":["0.1.0","0.1.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/install-all-setup/MAL-2025-191640.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}