{"id":"MAL-2025-191708","summary":"Malicious code in crto5 (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (3a906f74f9672d68f42311985b67b1076e3b02caf14d8366b703d3331ff5897b)\nImporting the module starts downloading or decrypting, and then executing an executable being a wide recognized malware/Infostealer (Redline family)\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-07-crpt\n\n\nReasons (based on the campaign):\n\n\n - infostealer\n\n\n - Downloads and executes a remote executable.\n\n\n - Downloads and executes a remote malicious script.\n\n\n - exfiltration-crypto\n\n\n - malware\n","modified":"2025-12-31T02:53:06.972360Z","published":"2025-07-14T16:42:19Z","database_specific":{"iocs":{"urls":["https://raw.githubusercontent.com/cmderr11/cryptu/refs/heads/main/cryptu.py","https://raw.githubusercontent.com/cmderr11/crt1/refs/heads/main/crt1.py"]},"malicious-packages-origins":[{"id":"pypi/2025-07-crpt/crto5","source":"kam193","modified_time":"2025-07-14T16:42:19.602186Z","import_time":"2025-12-02T22:30:55.076828477Z","sha256":"c6d902cde8d930aa0b1ccdcc7985887501b8be6fc1fca036e02fcc9ab6ce1570","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}]},{"id":"pypi/2025-07-crpt/crto5","source":"kam193","modified_time":"2025-07-14T16:42:19.602186Z","import_time":"2025-12-02T23:07:18.08657152Z","sha256":"3a906f74f9672d68f42311985b67b1076e3b02caf14d8366b703d3331ff5897b","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}]},{"id":"pypi/2025-07-crpt/crto5","versions":["0.2.0","0.1.0","0.5.0"],"modified_time":"2025-07-14T16:42:19.602186Z","import_time":"2025-12-10T21:38:57.37892828Z","sha256":"a84b5149a119f8b0ac61cf2d2956209ac6dfb3bd7147056fc8e60966cad06a9d","source":"kam193"},{"id":"pypi/2025-07-crpt/crto5","versions":["0.1.0","0.2.0","0.5.0"],"modified_time":"2025-07-14T16:42:19.602186Z","import_time":"2025-12-30T22:39:04.063935056Z","sha256":"0e46bbba999d3b129c5d409d467b17d6212a4f4c0e2dfd85a856850d8ca6b9dc","source":"kam193"}]},"references":[{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/eb7f339a21ac7d8a5f530ba0d7278e2e5f64ee039b200c2f4ee9b98bbfad1ba6"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/crto5"}],"affected":[{"package":{"name":"crto5","ecosystem":"PyPI","purl":"pkg:pypi/crto5"},"versions":["0.2.0","0.1.0","0.5.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/crto5/MAL-2025-191708.json"}}],"schema_version":"1.7.3","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}