{"id":"MAL-2025-3429","summary":"Malicious code in asynchttpx (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (5b8f233eae76de4578a7b30c6564338d644a7dfa1f59682337792de5ad13668f)\nImporting the module starts downloading and executing first a script, and then a widely identified malware\n\nPackages are used as dependencies in a GitHub project https://github.com/ToolParadiseDrako/Nuker-Tool-Paradise\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-03-httpx-client\n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote executable.\n\n\n - Downloads and executes a remote malicious script.\n\n\n - malware\n","modified":"2026-03-19T12:50:30.754552Z","published":"2025-03-17T21:47:06Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2025-04-23T16:06:13Z","sha256":"d392c3b5b294cf5ed0f8ea36a2218c162f8bdebfb41064bbf49b33c081b8e5eb","import_time":"2025-04-25T09:36:44.556840086Z","id":"RLMA-2025-02488","versions":["0.0.2"],"source":"reversing-labs"},{"modified_time":"2025-03-17T21:47:06Z","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"import_time":"2025-12-02T22:30:54.951986811Z","id":"pypi/2025-03-httpx-client/asynchttpx","sha256":"06822f2d60049efaf55fc4d913311d71e9ef6bbcbe4e07c79c3f02926fc76665","source":"kam193"},{"modified_time":"2025-03-17T21:47:06Z","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"import_time":"2025-12-02T23:07:17.991776059Z","id":"pypi/2025-03-httpx-client/asynchttpx","sha256":"5b8f233eae76de4578a7b30c6564338d644a7dfa1f59682337792de5ad13668f","source":"kam193"},{"modified_time":"2025-03-17T21:47:06Z","sha256":"449f749aff9ba237639644b326f7475bde98d4aec364d794bfcce51a77e299c9","import_time":"2025-12-10T21:38:57.297427847Z","id":"pypi/2025-03-httpx-client/asynchttpx","versions":["0.0.2"],"source":"kam193"},{"modified_time":"2026-03-18T12:11:18Z","sha256":"d4d4f60867a1881d6c44d06bed815b780ccb05ddb5735c0afa0868ee70dd41db","import_time":"2026-03-19T12:19:24.547464374Z","id":"RLUA-2026-00090","source":"reversing-labs"}],"iocs":{"domains":["zetolacs-cloud.top","contorosa.space"],"urls":["https://zetolacs-cloud.top/Stb/Retev.php?bl=Uic2YYQdDhtfiKAZnULCW012.txt","https://raw.githubusercontent.com/mrunknown12321/1234/refs/heads/main/1234","https://raw.githubusercontent.com/VinieClara/FN-Manfiestes/main/SdkVersion.txt"]}},"references":[{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/08a2072bf8e155457afe84d61a9d2e077183b7b8413c9c601c9cf30454c2f4a0"},{"type":"EVIDENCE","url":"https://tria.ge/250316-s2sj2sxmx7"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/asynchttpx"}],"affected":[{"package":{"name":"asynchttpx","ecosystem":"PyPI","purl":"pkg:pypi/asynchttpx"},"versions":["0.0.2"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/asynchttpx/MAL-2025-3429.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}