{"id":"MAL-2025-191919","summary":"Malicious code in uzip (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (ee20087db4a86ce68765ba8046732e8f1fc906c58a0303e836429a63788dc97f)\nDuring initialization of the archive-support class, the package starts code from another file and downloads multi-stage malware\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-11-uzip\n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote executable.\n\n\n - obfuscation\n\n\n - malware\n","modified":"2026-02-26T10:05:43.681109Z","published":"2025-11-22T16:53:45Z","database_specific":{"iocs":{"ips":["77.105.161.164"],"urls":["http://77.105.161.164:3301/library","http://77.105.161.164:3301/die1"]},"malicious-packages-origins":[{"sha256":"b1d7db00ba4f8c670ae2a1b70169782860303f25f14d7130b4856ce72981f265","versions":["0.1.1","0.1.0"],"import_time":"2025-12-02T22:30:55.707078606Z","modified_time":"2025-11-22T16:53:45.368693Z","id":"pypi/2025-11-uzip/uzip","source":"kam193"},{"sha256":"ee20087db4a86ce68765ba8046732e8f1fc906c58a0303e836429a63788dc97f","versions":["0.1.1","0.1.0"],"import_time":"2025-12-02T23:07:18.746098483Z","modified_time":"2025-11-22T16:53:45.368693Z","id":"pypi/2025-11-uzip/uzip","source":"kam193"},{"sha256":"5aaba949ae7faf2413a0b1fbe36653883d7250a9d8fe71e5eca150bc6b2c9665","versions":["0.1.1","0.1.0"],"import_time":"2025-12-11T17:11:15.737550123Z","modified_time":"2025-11-22T16:53:45.368693Z","id":"pypi/2025-11-uzip/uzip","source":"kam193"},{"sha256":"d7e4a8570ffc3f4656de4dd651ae64ddb7612b68557086b052dda63c88e23908","versions":["0.1.0","0.1.1"],"import_time":"2025-12-30T22:39:04.204462368Z","modified_time":"2025-11-22T16:53:45.368693Z","id":"pypi/2025-11-uzip/uzip","source":"kam193"},{"sha256":"b674b95755c5b73a12e4acd5bf570d6b333cc7cfb5ddf21b899e5e715718b52b","versions":["0.1.0","0.1.1"],"import_time":"2026-02-26T09:49:02.35474347Z","modified_time":"2025-11-22T16:53:45.368693Z","id":"pypi/2025-11-uzip/uzip","source":"kam193"}]},"references":[{"type":"WEB","url":"https://www.virustotal.com/gui/file-analysis/MGEwNWE0MzhlMTU3NTUxZTU1OGI4NTRkYTA2MWMxM2M6MTc2MzgzMDEyNA=="},{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/8808a0a09c0180afe742f0265f8b42bf671bc2083dcecd47c1515f52554200d9/detection"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/uzip"},{"type":"WEB","url":"https://www.getsafety.com/blog-posts/extrazip-malware-campaign"}],"affected":[{"package":{"name":"uzip","ecosystem":"PyPI","purl":"pkg:pypi/uzip"},"versions":["0.1.1","0.1.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/uzip/MAL-2025-191919.json"}}],"schema_version":"1.7.3","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}