{"id":"MAL-2025-1980","summary":"Malicious code in mlc-ai-nightly (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (7f1b0b9f87631941501e2d04d9eab7f1cd7232f770812e3373b736f9e682dc2a)\nInstalling the package exfiltrates information about the host, including environmental variables.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-01-mlc-ai-nightly\n\n\nReasons (based on the campaign):\n\n\n - The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.\n\n\n - The package overrides the install command in setup.py to execute malicious code during installation.\n\n\n - exfiltration-env-variables\n\n\n - dependency-confusion\n","modified":"2026-04-16T15:58:47.551990Z","published":"2025-01-21T18:27:56Z","database_specific":{"malicious-packages-origins":[{"sha256":"f2f2448a6e809b5652703a01b26ffa3f9bbb65e24c7787af16dec2b2202b1014","modified_time":"2025-03-03T13:45:00Z","id":"RLMA-2025-01221","versions":["9.9.9","9.9.99"],"import_time":"2025-03-03T15:07:15.711773495Z","source":"reversing-labs"},{"sha256":"41a95be29005f697d7d9b8e181b8c826ef6f44d7236ccf86e7625a94730ff564","modified_time":"2025-01-21T18:27:56Z","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"id":"pypi/2025-01-mlc-ai-nightly/mlc-ai-nightly","import_time":"2025-12-02T22:30:55.341505512Z","source":"kam193"},{"sha256":"7f1b0b9f87631941501e2d04d9eab7f1cd7232f770812e3373b736f9e682dc2a","modified_time":"2025-01-21T18:27:56Z","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"id":"pypi/2025-01-mlc-ai-nightly/mlc-ai-nightly","import_time":"2025-12-02T23:07:18.371016637Z","source":"kam193"},{"sha256":"6f224462b0e3f2708463ba91241645578b5beb72fc7e1f515257a5917e1a079e","modified_time":"2025-01-21T18:27:56Z","id":"pypi/2025-01-mlc-ai-nightly/mlc-ai-nightly","versions":["0.0.1","9.9.9","9.9.99"],"import_time":"2025-12-10T21:38:57.59699036Z","source":"kam193"},{"sha256":"93f5f04580275ab2a5ab52810dde2cb1ab98c16a2905b5e43ae603c2dc135ee6","modified_time":"2026-03-18T12:16:09Z","id":"RLUA-2026-00525","import_time":"2026-03-19T12:20:05.078889603Z","source":"reversing-labs"},{"sha256":"26a521f54774288cebbfc79b2ec113bafd07429f3b494c35536d457cebb5ba49","modified_time":"2026-04-16T10:27:17Z","id":"RLUA-2026-02074","versions":["0.0.1"],"import_time":"2026-04-16T15:39:35.443009336Z","source":"reversing-labs"}],"iocs":{"domains":["depcon.buzz"]}},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/mlc-ai-nightly"}],"affected":[{"package":{"name":"mlc-ai-nightly","ecosystem":"PyPI","purl":"pkg:pypi/mlc-ai-nightly"},"versions":["9.9.9","9.9.99","0.0.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/mlc-ai-nightly/MAL-2025-1980.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"ANALYST"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}