{"id":"MAL-2025-192385","summary":"Malicious code in graphsync (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (dbb10327d6553750848c2b849abba1ed717438928a6cfdc148b73de73db8e9db)\nThis is a malicious copy of the networkx package. It contains an obfuscated script that downloads and runs further scripts from one of multiple locations, and perform covering tracks by removing the modified code and all references to it. During the analysis, most of remote URLs did not serve any meaningful content, so the final goal is unknown.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-12-graphnode\n\n\nReasons (based on the campaign):\n\n\n - obfuscation\n\n\n - Downloads and executes a remote malicious script.\n\n\n - clones-real-package\n","modified":"2026-02-11T17:03:52.187104Z","published":"2025-12-09T08:01:54Z","database_specific":{"iocs":{"urls":["https://raw.githubusercontent.com/oscaratkins831/CrowdFunding-Smart-Contract-main/refs/heads/main/readme.md","https://drive.google.com/uc?export=download&id=1JhtoVi6UjdCEa9mT5kHvYxd2UauiccW4","https://aurevian.cloud/public/startup.py?ver=1.2","https://raw.githubusercontent.com/ronniebrooks/node-javascript-ecommerce-main/refs/heads/main/.gitignore","https://raw.githubusercontent.com/ronniebrooks/node-javascript-ecommerce-main/refs/heads/main/package.json","https://drive.google.com/uc?export=download&id=1FKQxvZM2zl0pmtf_cIHdjLSVdf-ZlUYR","https://drive.google.com/uc?export=download&id=1RPC49CCI9urhfoVdPkO3pCSI4Lr430Lx"],"domains":["aurevian.cloud"]},"malicious-packages-origins":[{"versions":["1.1.1","1.1.0"],"import_time":"2025-12-09T08:44:45.80113328Z","sha256":"dbb10327d6553750848c2b849abba1ed717438928a6cfdc148b73de73db8e9db","modified_time":"2025-12-09T08:01:54.035646Z","source":"kam193","id":"pypi/2025-12-graphnode/graphsync"},{"versions":["1.1.0","1.1.1"],"import_time":"2025-12-30T22:39:04.093546364Z","sha256":"5f90028620c243d8f4c4345f3d9de2b21c0d1fcc6a7b56d7654589baa760f39f","modified_time":"2025-12-09T08:01:54.035646Z","source":"kam193","id":"pypi/2025-12-graphnode/graphsync"},{"versions":["1.1.0","1.1.1"],"import_time":"2026-02-11T16:52:08.202448912Z","sha256":"ec94d3fbe5a41c721fdb8f6de0b7485d5b8a13e61f65f72a7e0754c7f5589ae6","modified_time":"2025-12-09T08:01:54.035646Z","source":"kam193","id":"pypi/2025-12-graphnode/graphsync"}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/graphsync"},{"type":"WEB","url":"https://www.reversinglabs.com/blog/fake-recruiter-campaign-crypto-devs"}],"affected":[{"package":{"name":"graphsync","ecosystem":"PyPI","purl":"pkg:pypi/graphsync"},"versions":["1.1.1","1.1.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/graphsync/MAL-2025-192385.json"}}],"schema_version":"1.7.3","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}