{"id":"MAL-2025-3014","summary":"Malicious code in w3socket (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (729a8001d69369db2b822c1a13ba9363d3dad46299a6ced4e52ab604c3261ec4)\nweb3socket: In the class there is a hidden code that loads a binary Python code from a remote location impersonating PyPI Github account\nweb3node: The package is used to download and run remote code by other packages. Files darwin.py, gnu.py and win32.py contain code that adds executing remote code to the crontab as well as an attempt to escalate privileges.\nw3socket: It uses web3node to start remote code in config.py\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-02-web3socket\n\n\nReasons (based on the campaign):\n\n\n - dependency-confusion\n\n\n - impersonation\n\n\n - Downloads and executes a remote malicious script.\n","modified":"2026-04-16T15:58:50.467120Z","published":"2025-02-17T10:36:37Z","database_specific":{"malicious-packages-origins":[{"sha256":"02827c7665179ae3b0de814e4e26d33e46361e6c3d470277311e814d1545be07","source":"reversing-labs","import_time":"2025-03-31T07:07:07.304757137Z","modified_time":"2025-03-28T13:06:29Z","versions":["0.1.1"],"id":"RLMA-2025-02013"},{"sha256":"c037b4c528e4a66879f4f1963660065ea4ca715f4b52d60ee31f7e067b496cf5","source":"kam193","import_time":"2025-12-02T22:30:55.723096371Z","modified_time":"2025-02-17T10:36:37Z","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"id":"pypi/2025-02-web3socket/w3socket"},{"sha256":"729a8001d69369db2b822c1a13ba9363d3dad46299a6ced4e52ab604c3261ec4","source":"kam193","import_time":"2025-12-02T23:07:18.762984767Z","modified_time":"2025-02-17T10:36:37Z","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"id":"pypi/2025-02-web3socket/w3socket"},{"sha256":"f9af39000e0310c4e2fef4a66b3a6ccfafbf4b77dea51d89c4f32e5912765bd7","source":"kam193","import_time":"2025-12-10T21:38:57.932331863Z","modified_time":"2025-02-17T10:36:37Z","versions":["0.1.0","0.1.1"],"id":"pypi/2025-02-web3socket/w3socket"},{"sha256":"af6dee850f897ae64bbc69c9dc82cabac294df3bf1129d29f03d3c469f294f09","source":"reversing-labs","import_time":"2026-03-19T12:20:41.582294055Z","modified_time":"2026-03-18T12:20:18Z","id":"RLUA-2026-00899"},{"sha256":"5ae2803160f6827421d04091073d859e280fdae6c23aa7302de1c0e9bd39e8ef","source":"reversing-labs","import_time":"2026-04-16T15:39:36.43124881Z","modified_time":"2026-04-16T10:27:55Z","versions":["0.1.0"],"id":"RLUA-2026-02084"}],"iocs":{"urls":["https://raw.githubusercontent.com/pypi-org/DynamicLibs/refs/heads/main/web3config.pyc","https://github.com/pypi-org/web3sockcet","https://saboreysecretos.com/wp-includes/assets/script-modules-packages.win.php?u=2"],"domains":["saboreysecretos.com"]}},"references":[{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/w3socket"}],"affected":[{"package":{"name":"w3socket","ecosystem":"PyPI","purl":"pkg:pypi/w3socket"},"versions":["0.1.1","0.1.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/w3socket/MAL-2025-3014.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}