{"id":"MAL-2025-1971","summary":"Malicious code in deepseekai (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (b2b16bcb5b1deabfe7fb03e6a512343457033cfb57c0e70062d400d001b4a949)\nInstalling the package or importing the module exfiltrates basic information about the host, and the package has no other purpose.\n\n\n---\n\nCategory: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.\n\n\nCampaign: GENERIC-standard-pypi-install-pentest\n\n\nReasons (based on the campaign):\n\n\n - The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.\n\n\n - The package overrides the install command in setup.py to execute malicious code during installation.\n","modified":"2026-03-19T12:52:25.368500Z","published":"2024-07-26T16:53:30Z","database_specific":{"malicious-packages-origins":[{"sha256":"912f47a1b71487a796e28a0ae681cac7a1a75fa3a4aa21ad5a650b58f0f1d15d","source":"reversing-labs","id":"RLMA-2025-01211","versions":["0.0.8"],"modified_time":"2025-03-03T13:44:49Z","import_time":"2025-03-03T15:07:14.651071721Z"},{"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"source":"kam193","id":"pypi/GENERIC-standard-pypi-install-pentest/deepseekai","sha256":"5a2fe581fd96fca9aeebabf98acee2c4757f2b0b373680c1396e8d47436056ec","modified_time":"2024-07-26T16:53:30Z","import_time":"2025-12-02T22:30:55.984661701Z"},{"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"source":"kam193","id":"pypi/GENERIC-standard-pypi-install-pentest/deepseekai","sha256":"b2b16bcb5b1deabfe7fb03e6a512343457033cfb57c0e70062d400d001b4a949","modified_time":"2024-07-26T16:53:30Z","import_time":"2025-12-02T23:07:19.178657147Z"},{"sha256":"05c43e705052a9b9393b9f1c56de1626a63616222a135c4fd47fa00b8ef34d91","source":"kam193","id":"pypi/GENERIC-standard-pypi-install-pentest/deepseekai","versions":["0.0.8"],"modified_time":"2024-07-26T16:53:30Z","import_time":"2025-12-10T21:38:58.319350221Z"},{"sha256":"ef02d037b585b7f791cf93f3da43a279f4bd4b84e3159d3e0de3d68547eec82f","source":"reversing-labs","id":"RLUA-2026-00256","modified_time":"2026-03-18T12:13:09Z","import_time":"2026-03-19T12:19:39.121135464Z"}]},"references":[{"type":"WEB","url":"https://hackread.com/hackers-hide-malware-fake-deepseek-pypi-packages"},{"type":"WEB","url":"https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/malicious-packages-deepseeek-and-deepseekai-published-in-python-package-index"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/deepseekai"}],"affected":[{"package":{"name":"deepseekai","ecosystem":"PyPI","purl":"pkg:pypi/deepseekai"},"versions":["0.0.8"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/deepseekai/MAL-2025-1971.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"ANALYST"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}