{"id":"MAL-2025-2948","summary":"Malicious code in coingenerator (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (78810d9638861bd92d3f96d7e29a552a41eb97b69b8deba84892cc7f458fb8c0)\nPackage contains obfuscated code that exfiltrate basic data and awaits for commands from the remote server to execute them. This is a malicious copy of legitimate https://pypi.org/project/coinanalyse/ package.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-02-coinanalyze\n\n\nReasons (based on the campaign):\n\n\n - backdoor\n\n\n - typosquatting\n\n\n - obfuscation\n\n\n - clones-real-package\n\n\n - crypto-related\n\n\n - The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.\n","modified":"2026-03-19T12:51:55.627708Z","published":"2025-02-24T10:06:17Z","database_specific":{"iocs":{"urls":["https://wonderchristmas.store/jupdate.php","http://netupdates.info/board/board.php"],"domains":["wonderchristmas.store","netupdates.info"]},"malicious-packages-origins":[{"import_time":"2025-03-31T07:07:05.044849172Z","source":"reversing-labs","modified_time":"2025-03-28T13:05:27Z","versions":["1.0.1"],"id":"RLMA-2025-01946","sha256":"7b4e9a220b4e470034bb0e08ca502bcdc263dddaf798d5eda4a7c1e5d359bcc2"},{"import_time":"2025-12-02T22:30:55.054651441Z","source":"kam193","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"modified_time":"2025-02-24T10:06:17Z","id":"pypi/2025-02-coinanalyze/coingenerator","sha256":"5783a8540271b781c1260dfb3b3f3996f6682710c86906941fa127cb6f8cc688"},{"import_time":"2025-12-02T23:07:18.065179501Z","source":"kam193","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"modified_time":"2025-02-24T10:06:17Z","id":"pypi/2025-02-coinanalyze/coingenerator","sha256":"78810d9638861bd92d3f96d7e29a552a41eb97b69b8deba84892cc7f458fb8c0"},{"import_time":"2025-12-10T21:38:57.356226491Z","source":"kam193","modified_time":"2025-02-24T10:06:17Z","versions":["1.0.1"],"id":"pypi/2025-02-coinanalyze/coingenerator","sha256":"29b3f8437ee44a3f11b8b2cdc180c138e684ce3bbcd4d9004ec05efee5df0e10"},{"import_time":"2026-03-19T12:19:34.55333571Z","source":"reversing-labs","modified_time":"2026-03-18T12:12:33Z","id":"RLUA-2026-00206","sha256":"fa011ed661f807a2f47cc311981a796b74d749df97b6fd56bf05d239f329e2a3"}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/coingenerator"}],"affected":[{"package":{"name":"coingenerator","ecosystem":"PyPI","purl":"pkg:pypi/coingenerator"},"versions":["1.0.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/coingenerator/MAL-2025-2948.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}