{"id":"MAL-2025-2012","summary":"Malicious code in web3imports (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (84bb9be7600c163a4a67214f02bb476ce8498551fb0195bbe56161287d86c8cf)\nImporting the module starts (through __init__.py) the code that download, extracts and starts a remote executable. This has been identified by any.run as a AsyncRAT. The VirtusTotal detection rate was originally at the edge of false positive, but increased significantly during a few hours.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-01-asynchelpers\n\n\nReasons (based on the campaign):\n\n\n - infostealer\n\n\n - Downloads and executes a remote executable.\n\n\n - malware\n","modified":"2026-03-19T12:58:19.481860Z","published":"2025-02-01T00:45:27Z","database_specific":{"malicious-packages-origins":[{"import_time":"2025-03-03T15:07:19.340920792Z","sha256":"4596fb5c9e777f66263d34bbda6be30d81f63ff19a84b17bef39b688f6d70c55","versions":["1.1.0"],"id":"RLMA-2025-01258","modified_time":"2025-03-03T13:45:37Z","source":"reversing-labs"},{"import_time":"2025-12-02T22:30:55.752848504Z","sha256":"5ea7b5e15abdc28f03e980217f5fc1fd3b6398c63e88a69300557d2d64ccfe96","modified_time":"2025-02-01T00:45:27Z","id":"pypi/2025-01-asynchelpers/web3imports","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"source":"kam193"},{"import_time":"2025-12-02T23:07:18.794709514Z","sha256":"84bb9be7600c163a4a67214f02bb476ce8498551fb0195bbe56161287d86c8cf","modified_time":"2025-02-01T00:45:27Z","id":"pypi/2025-01-asynchelpers/web3imports","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"source":"kam193"},{"import_time":"2025-12-10T21:38:57.96173258Z","sha256":"99b3b2bc5582277a557d1f3e8f547605c4f3a4f93fee23a0e83fdb815b960987","versions":["1.1.0"],"id":"pypi/2025-01-asynchelpers/web3imports","modified_time":"2025-02-01T00:45:27Z","source":"kam193"},{"import_time":"2026-03-19T12:20:43.405118809Z","sha256":"f48817572f00f6257470c77e8477ba54388fb446e58cb404f6feb992a30fa70a","id":"RLUA-2026-00918","modified_time":"2026-03-18T12:20:29Z","source":"reversing-labs"}],"iocs":{"ips":["104.194.151.19"],"urls":["https://github.com/asynchelpers/asynchelpers/raw/refs/heads/main/configs/main/security_profiles/functionality.zip"]}},"references":[{"type":"EVIDENCE","url":"https://app.any.run/tasks/f4f95dff-ac96-47f1-bc14-76e2745ecb3d"},{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/265ef544887043fb158f2049a4e77ccf6119e28e3aebcde66b28db70795b5ee6"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/web3imports"}],"affected":[{"package":{"name":"web3imports","ecosystem":"PyPI","purl":"pkg:pypi/web3imports"},"versions":["1.1.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/web3imports/MAL-2025-2012.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}