{"id":"MAL-2025-3011","summary":"Malicious code in transaction-analyze (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (de16c0c85e09c235c78e898320412a3a2ae473c2ae91e939862b5e99fcb5950b)\nPackage contains obfuscated code that exfiltrate basic data and awaits for commands from the remote server to execute them. This is a malicious copy of legitimate https://pypi.org/project/coinanalyse/ package.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-02-coinanalyze\n\n\nReasons (based on the campaign):\n\n\n - backdoor\n\n\n - typosquatting\n\n\n - obfuscation\n\n\n - clones-real-package\n\n\n - crypto-related\n\n\n - The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.\n","modified":"2026-03-19T12:57:41.858109Z","published":"2025-02-24T10:06:17Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.1","1.0.2","1.0.3","1.0.4"],"modified_time":"2025-03-28T13:06:26Z","id":"RLMA-2025-02010","import_time":"2025-03-31T07:07:07.145523753Z","sha256":"b7c055d0b6120500a77f1c8d41953efdd109a5e078a153f6c1984f0cbe35c5af","source":"reversing-labs"},{"modified_time":"2025-02-24T10:06:17Z","id":"pypi/2025-02-coinanalyze/transaction-analyze","import_time":"2025-12-02T22:30:55.6574316Z","source":"kam193","sha256":"b94b0a02279e4e7ab3a874e5c93505194f3c29ec7bdb930c310ee4b458ee1293","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}]},{"modified_time":"2025-02-24T10:06:17Z","id":"pypi/2025-02-coinanalyze/transaction-analyze","import_time":"2025-12-02T23:07:18.700801687Z","source":"kam193","sha256":"de16c0c85e09c235c78e898320412a3a2ae473c2ae91e939862b5e99fcb5950b","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}]},{"versions":["1.0.1","1.0.3","1.0.4"],"modified_time":"2025-02-24T10:06:17Z","id":"pypi/2025-02-coinanalyze/transaction-analyze","import_time":"2025-12-10T21:38:57.885962382Z","sha256":"2c7bf1798f81239fa4d39b94c0b243db09e286b26f329fa0db4da86a21a9960e","source":"kam193"},{"modified_time":"2026-03-18T12:19:38Z","id":"RLUA-2026-00836","import_time":"2026-03-19T12:20:35.243166014Z","sha256":"61207328671c30bda41bf41765a7138089aa03dbde27f6bda478eada114fd1c3","source":"reversing-labs"}],"iocs":{"urls":["https://wonderchristmas.store/jupdate.php","http://netupdates.info/board/board.php"],"domains":["wonderchristmas.store","netupdates.info"]}},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/transaction-analyze"}],"affected":[{"package":{"name":"transaction-analyze","ecosystem":"PyPI","purl":"pkg:pypi/transaction-analyze"},"versions":["1.0.1","1.0.2","1.0.3","1.0.4"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/transaction-analyze/MAL-2025-3011.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"ANALYST"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}