{"id":"MAL-2025-192579","summary":"Malicious code in smtblib (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (15a295f1d98fcbbdd6a077bc3a849966ca3f73919c0d47e58948ff382481e5b6)\nMalicious copy of a standard library module that during class initialization downloads and executes remote code and after that attempts to cover its tracks by overwriting itself with non-malicious code. The remote code aims to collect and exfiltrate sensitive Telegram session files.\n\nThis campaign shares infrastructure and basic methods with previous 2025-11-uzip campaign.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-12-smtblib\n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote malicious script.\n\n\n - infostealer\n\n\n - target:telegram\n\n\n - exfiltration-credentials\n\n\n - action-hidden-in-lib-usage\n\n\n - covering-tracks\n\n\n - clones-real-package\n\n\n - typosquatting\n","modified":"2026-02-26T10:07:19.094670Z","published":"2025-12-15T15:24:47Z","database_specific":{"malicious-packages-origins":[{"sha256":"15a295f1d98fcbbdd6a077bc3a849966ca3f73919c0d47e58948ff382481e5b6","import_time":"2025-12-15T16:09:58.124370721Z","modified_time":"2025-12-15T15:24:47.925085Z","source":"kam193","versions":["0.1.8"],"id":"pypi/2025-12-smtblib/smtblib"},{"sha256":"8f293710c6c269b679abd0ea8af0d9fd6f5ed2604f0e610a89baa9a0c769e980","import_time":"2025-12-15T20:08:14.979212651Z","modified_time":"2025-12-15T19:54:36.926709Z","source":"kam193","versions":["0.1.8","0.1.9"],"id":"pypi/2025-12-smtblib/smtblib"},{"sha256":"16144127ff973bbc911f4fd6fce8480d291aaeb526dec941bd80e03d93994ee4","import_time":"2025-12-29T11:07:13.545369573Z","modified_time":"2025-12-15T19:54:36.926709Z","source":"kam193","versions":["0.1.8","0.1.9"],"id":"pypi/2025-12-smtblib/smtblib"},{"sha256":"cc2e09b4df5147ee9fc025ec9367227d949a09bdc1237f0b217129c419af15dd","import_time":"2026-02-26T09:49:02.335373295Z","modified_time":"2025-12-15T19:54:36.926709Z","source":"kam193","versions":["0.1.8","0.1.9"],"id":"pypi/2025-12-smtblib/smtblib"}],"iocs":{"ips":["87.120.107.132"],"urls":["http://87.120.107.132:3301/reactor","http://87.120.107.132:1488/drill","http://87.120.107.132:1488/drip"]}},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/smtblib"},{"type":"WEB","url":"www.getsafety.com/blog-posts/extrazip-malware-campaign"}],"affected":[{"package":{"name":"smtblib","ecosystem":"PyPI","purl":"pkg:pypi/smtblib"},"versions":["0.1.8","0.1.9"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/smtblib/MAL-2025-192579.json"}}],"schema_version":"1.7.3","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}