{"id":"MAL-2025-2967","summary":"Malicious code in heroku-tl (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (8a78aff2389300306864bb3d44e1ac70675e128845a4d734dae5ffbc39076b93)\nClone of a legit Telegram client, with a hidden code that, under some conditions, can attempt to destroy the Linux OS.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-03-heroku-tl\n\n\nReasons (based on the campaign):\n\n\n - clones-real-package\n\n\n - action-hidden-in-lib-usage\n","modified":"2026-04-16T16:03:20.043187Z","published":"2025-03-08T07:34:12Z","database_specific":{"malicious-packages-origins":[{"id":"RLMA-2025-01965","modified_time":"2025-03-28T13:05:43Z","import_time":"2025-03-31T07:07:05.679080988Z","versions":["3.2.0","3.2.1","3.2.2","3.2.5"],"source":"reversing-labs","sha256":"0a8f4fc0a5d0503ac09d15275006031ce30676e8778cddddd61d8fd257fd3518"},{"id":"pypi/2025-03-heroku-tl/heroku-tl","modified_time":"2025-03-08T07:34:12Z","import_time":"2025-12-02T22:30:55.242078481Z","source":"kam193","sha256":"f65785e45b1a1412bb45fd3f8bbc75a9ba4709d4749e07b8db315d28c58cc1f7","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}]},{"id":"pypi/2025-03-heroku-tl/heroku-tl","modified_time":"2025-03-08T07:34:12Z","import_time":"2025-12-02T23:07:18.265054874Z","source":"kam193","sha256":"8a78aff2389300306864bb3d44e1ac70675e128845a4d734dae5ffbc39076b93","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}]},{"id":"pypi/2025-03-heroku-tl/heroku-tl","modified_time":"2025-03-08T07:34:12Z","import_time":"2025-12-10T21:38:57.527357363Z","versions":["2.1.0","2.1.1","2.2.2","2.5.0","2.5.1","2.6.0","2.8.0","2.9.0","3.0.0","3.0.1","3.1.0","3.2.1","3.2.0","3.2.2","3.2.5"],"source":"kam193","sha256":"f582fa05d5a878f06b3d751c56ce9c8231144aa385b567532baf91452d6af91c"},{"id":"pypi/2025-03-heroku-tl/heroku-tl","modified_time":"2025-03-08T07:34:12Z","import_time":"2025-12-30T22:39:04.095546063Z","versions":["2.1.0","2.1.1","2.2.2","2.5.0","2.5.1","2.6.0","2.8.0","2.9.0","3.0.0","3.0.1","3.1.0","3.2.0","3.2.1","3.2.2","3.2.5"],"source":"kam193","sha256":"e0f9dcd6289d0a3933488f9c5affeaaebd78d6ad3eb20d542b1e2782c068ca90"},{"id":"RLUA-2026-00387","modified_time":"2026-03-18T12:14:36Z","import_time":"2026-03-19T12:19:51.627523286Z","source":"reversing-labs","sha256":"f0712a9afe745c4bc3354354515ea6ae3559f44a0084e181f890244801905dfd"},{"id":"RLUA-2026-02070","modified_time":"2026-04-16T10:26:39Z","import_time":"2026-04-16T15:39:34.887338305Z","versions":["3.0.0","2.1.1","2.5.0","2.5.1","2.9.0","2.6.0","3.0.1","2.2.2","3.1.0","2.1.0","2.8.0"],"source":"reversing-labs","sha256":"cd936b22207b5a7a8164d664ed3f3bd13f58d8f3a53493a2e767f36221d1632b"}],"iocs":{"domains":["banlist.heroku-ub.top","heroku-ub.top"],"urls":["https://banlist.heroku-ub.top/get_ids"]}},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/heroku-tl"}],"affected":[{"package":{"name":"heroku-tl","ecosystem":"PyPI","purl":"pkg:pypi/heroku-tl"},"versions":["3.2.0","3.2.1","3.2.2","3.2.5","2.1.0","2.1.1","2.2.2","2.5.0","2.5.1","2.6.0","2.8.0","2.9.0","3.0.0","3.0.1","3.1.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/heroku-tl/MAL-2025-2967.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}