{"id":"MAL-2025-2969","summary":"Malicious code in kgmicolors (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (0d93708c54253e6772832d4aa1ef7f59e5f4f4c159d5ffaaa4045d8267b15b30)\nPackage contains hidden code that downloads a next stage script, which finally downloads and starts a malware from XWORM family as well as an infostealer\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-02-kgmicolors\n\n\nReasons (based on the campaign):\n\n\n - infostealer\n\n\n - Downloads and executes a remote malicious script.\n\n\n - malware\n","modified":"2026-03-19T12:54:24.599617Z","published":"2025-02-25T20:53:05Z","database_specific":{"iocs":{"urls":["https://raw.githubusercontent.com/Uwu-Kagami/multi-tool/refs/heads/main/modules/base_modules/requirements/load_modules.py","https://github.com/Uwu-Kagami/ConfigSecurityPolicy/raw/refs/heads/main/WinSysDrivers.zip","https://github.com/Uwu-Kagami"]},"malicious-packages-origins":[{"source":"reversing-labs","sha256":"bc80c88fcc1a584c34053a62ab784fad10c283d3cfe6c35a19e8f63a72777c04","import_time":"2025-03-31T07:07:05.742684337Z","versions":["0.1.0","0.1.1"],"modified_time":"2025-03-28T13:05:47Z","id":"RLMA-2025-01967"},{"source":"kam193","sha256":"460b2269bc9b49d8cfc6a1f3e0233e91670c10ccfea39af9f3ccb7ebae3b6c11","import_time":"2025-12-02T22:30:55.298970617Z","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"modified_time":"2025-02-25T20:53:05Z","id":"pypi/2025-02-kgmicolors/kgmicolors"},{"source":"kam193","sha256":"0d93708c54253e6772832d4aa1ef7f59e5f4f4c159d5ffaaa4045d8267b15b30","import_time":"2025-12-02T23:07:18.324022163Z","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"modified_time":"2025-02-25T20:53:05Z","id":"pypi/2025-02-kgmicolors/kgmicolors"},{"source":"kam193","sha256":"6d73015363550c22c5ee553a7780fce74d0b79656b574184fb779717fda7b5a7","import_time":"2025-12-10T21:38:57.563117819Z","versions":["0.1.0","0.1.1"],"modified_time":"2025-02-25T20:53:05Z","id":"pypi/2025-02-kgmicolors/kgmicolors"},{"source":"reversing-labs","sha256":"fa982acb4ba9f8d69a2901ac38a2c263287a5d10ab13ac64baf773db7df5a4ea","import_time":"2026-03-19T12:19:57.49784819Z","modified_time":"2026-03-18T12:15:23Z","id":"RLUA-2026-00452"}]},"references":[{"type":"WEB","url":"https://www.virustotal.com/gui/file-analysis/ZWU5OThlMWFlZWU3NTFhOGIwOGZmYzExMWU1MTk1MzM6MTc0MDUxNjgxMw=="},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/kgmicolors"}],"affected":[{"package":{"name":"kgmicolors","ecosystem":"PyPI","purl":"pkg:pypi/kgmicolors"},"versions":["0.1.0","0.1.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/kgmicolors/MAL-2025-2969.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}