{"id":"MAL-2025-191872","summary":"Malicious code in soopsocks (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (adcaa2cfcfa52c7c1ed664a9389ba0bd0ddd2716ea4c475b22bcd2f62bc1ab95)\nThe package promise creating a SOCKS proxy and report the server to a Discord webhook. And indeed appears to do so, but the attached autorun service seems to be a malware\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-09-soopsocks\n\n\nReasons (based on the campaign):\n\n\n - malware\n","modified":"2026-04-22T21:37:46.549660Z","published":"2025-09-26T16:20:15Z","database_specific":{"iocs":{"domains":["soop.space"],"urls":["https://discord.com/api/webhooks/1418298773330985154/_I7EzXpGMundYt8jCvlDdzi9INsBkBq7NSDM74iV0Y_flSzQZ5LxYP0lZtXFzHCkRtKR","http://install.soop.space:6969/download/py/pythonportable.zip","http://install.soop.space"]},"malicious-packages-origins":[{"sha256":"6b1d078aff71031e0681d4377e92d0e9d398f3f18d1fc92ab6f97f94a93697d5","import_time":"2025-12-02T22:30:55.601059851Z","modified_time":"2025-09-26T16:26:52.468777Z","versions":["0.2.7","0.2.6","0.2.5","0.2.4","0.2.3","0.2.2","0.2.1","0.2.0","0.1.3","0.1.2","0.1.1","0.1.0","0.2.7"],"id":"pypi/2025-09-soopsocks/soopsocks","source":"kam193"},{"sha256":"adcaa2cfcfa52c7c1ed664a9389ba0bd0ddd2716ea4c475b22bcd2f62bc1ab95","import_time":"2025-12-02T23:07:18.640582329Z","modified_time":"2025-09-26T16:26:52.468777Z","versions":["0.2.7","0.2.6","0.2.5","0.2.4","0.2.3","0.2.2","0.2.1","0.2.0","0.1.3","0.1.2","0.1.1","0.1.0","0.2.7"],"id":"pypi/2025-09-soopsocks/soopsocks","source":"kam193"},{"sha256":"ca432b15dd310c0563790ddbffb84582f20b388625f6860669a89d0522f0b4f1","import_time":"2025-12-30T22:39:04.180662186Z","modified_time":"2025-09-26T16:26:52.468777Z","versions":["0.1.0","0.1.1","0.1.2","0.1.3","0.2.0","0.2.1","0.2.2","0.2.3","0.2.4","0.2.5","0.2.6","0.2.7","0.2.7"],"id":"pypi/2025-09-soopsocks/soopsocks","source":"kam193"},{"sha256":"18dba171f7b25bab5d0a24d26b02d0a38002ec4abe48279f824b4cfc8ac4703c","import_time":"2026-04-22T21:21:55.45655081Z","modified_time":"2025-09-26T16:26:52.468777Z","versions":["0.1.0","0.1.1","0.1.2","0.1.3","0.2.0","0.2.1","0.2.2","0.2.3","0.2.4","0.2.5","0.2.6","0.2.7"],"id":"pypi/2025-09-soopsocks/soopsocks","source":"kam193"}]},"references":[{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/d1cb05c0e57ceb142a5e1117df4359a62df3a01f708561f4714e10e8f2af1f0d/detection"},{"type":"WEB","url":"https://research.jfrog.com/post/check-your-socks-a-deep-dive-into-soopsocks-pypi/"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/soopsocks"}],"affected":[{"package":{"name":"soopsocks","ecosystem":"PyPI","purl":"pkg:pypi/soopsocks"},"versions":["0.2.7","0.2.6","0.2.5","0.2.4","0.2.3","0.2.2","0.2.1","0.2.0","0.1.3","0.1.2","0.1.1","0.1.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/soopsocks/MAL-2025-191872.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}