{"id":"MAL-2025-3004","summary":"Malicious code in systoring (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (5be790277882f23120bae2ed3979650349878074f8d3d10f869d726fa106160f)\nInfostealer with multiple possibilities, but not auto-activating on installation. There are already multiple attempts to publish it, with different innocent-looking names.\n\nThe campaign contains the with Infostealer itself and packages that include it as dependency and triggered.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-02-multis\n\n\nReasons (based on the campaign):\n\n\n - infostealer\n\n\n - The malicious code is intentionally included in a dependency of the package\n","modified":"2026-03-19T12:57:12.207535Z","published":"2025-02-13T13:18:05Z","database_specific":{"malicious-packages-origins":[{"id":"RLMA-2025-02003","source":"reversing-labs","modified_time":"2025-03-28T13:06:21Z","versions":["0.1.1","0.1.2","0.1.3","0.1.4","0.1.5","0.1.6","0.1.7","0.1.8","0.1.9","0.1.10"],"sha256":"7c318d092e4c5b40f87820451043fbaec4808afba5e93709d4ce1ed405f01d38","import_time":"2025-03-31T07:07:06.91570307Z"},{"id":"pypi/2025-02-multis/systoring","source":"kam193","modified_time":"2025-02-13T13:18:05Z","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"sha256":"8fc117ab38f0c3fb09e1481d5a4f921bcbf0c87d1765530cdccc9f384a003902","import_time":"2025-12-02T22:30:55.623568808Z"},{"id":"pypi/2025-02-multis/systoring","source":"kam193","modified_time":"2025-02-13T13:18:05Z","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"sha256":"5be790277882f23120bae2ed3979650349878074f8d3d10f869d726fa106160f","import_time":"2025-12-02T23:07:18.664546697Z"},{"id":"pypi/2025-02-multis/systoring","source":"kam193","modified_time":"2025-02-13T13:18:05Z","versions":["0.1.1","0.1.3","0.1.2","0.1.4","0.1.5","0.1.6","0.1.7","0.1.8","0.1.9","0.1.10"],"sha256":"46e40ebd6cec3d9715aa0b69017ba338670ff6f10d15799efa5955d1e653cf6e","import_time":"2025-12-10T21:38:57.852724663Z"},{"id":"pypi/2025-02-multis/systoring","source":"kam193","modified_time":"2025-02-13T13:18:05Z","versions":["0.1.1","0.1.2","0.1.3","0.1.4","0.1.5","0.1.6","0.1.7","0.1.8","0.1.9","0.1.10"],"sha256":"3fd0a128d068d845fa7fa32379a50d9bbc3914a3f60808ec52298f807e3d9335","import_time":"2025-12-30T22:39:04.193371726Z"},{"id":"RLUA-2026-00797","source":"reversing-labs","modified_time":"2026-03-18T12:19:13Z","sha256":"e3b4d0a271a555ab55e8ae60c40d4fa2b85d2f8b1c28978b43309bfeb64626ba","import_time":"2026-03-19T12:20:31.525951398Z"}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/systoring"}],"affected":[{"package":{"name":"systoring","ecosystem":"PyPI","purl":"pkg:pypi/systoring"},"versions":["0.1.1","0.1.2","0.1.3","0.1.4","0.1.5","0.1.6","0.1.7","0.1.8","0.1.9","0.1.10"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/systoring/MAL-2025-3004.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}