{"id":"MAL-2025-3432","summary":"Malicious code in bbllaacckkwwoollff6ad8f751 (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (e88e848094db2d7414ceaf71a5a332701df9a17b145c137f0f5df76503847f90)\nDuring installation, the code either exfiltrate some information about the system or download and execute remote code\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-03-blackwolf\n\n\nReasons (based on the campaign):\n\n\n - The package overrides the install command in setup.py to execute malicious code during installation.\n\n\n - exfiltration-generic\n\n\n - Downloads and executes a remote malicious script.\n","modified":"2026-03-19T12:50:57.544091Z","published":"2025-03-24T08:08:10Z","database_specific":{"iocs":{"domains":["blackwolf.obs.cn-north-4.myhuaweicloud.com"]},"malicious-packages-origins":[{"sha256":"febc7a27b3039a70f970dd07b8d215c3ae5ca734d0903ef8a0635d2c51690437","versions":["0.1"],"import_time":"2025-04-25T09:36:44.827972721Z","id":"RLMA-2025-02491","modified_time":"2025-04-23T16:06:14Z","source":"reversing-labs"},{"sha256":"7dc62e2598cbfb6155a788432914de576f573fdcc9f035848687416e630c61e1","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"import_time":"2025-12-02T22:30:54.977340287Z","id":"pypi/2025-03-blackwolf/bbllaacckkwwoollff6ad8f751","modified_time":"2025-03-24T08:08:10Z","source":"kam193"},{"sha256":"e88e848094db2d7414ceaf71a5a332701df9a17b145c137f0f5df76503847f90","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"import_time":"2025-12-02T23:07:18.008992466Z","id":"pypi/2025-03-blackwolf/bbllaacckkwwoollff6ad8f751","modified_time":"2025-03-24T08:08:10Z","source":"kam193"},{"sha256":"56f44be45f7fe4a2fd0011e117ad515b7cb88ae0c4289a097bcf23cba470c723","versions":["0.1"],"import_time":"2025-12-10T21:38:57.310662078Z","id":"pypi/2025-03-blackwolf/bbllaacckkwwoollff6ad8f751","modified_time":"2025-03-24T08:08:10Z","source":"kam193"},{"sha256":"6667729590c09deb746dfecd660694ce7f0e3127e70b5e42cb0f1a8a04f85aaa","import_time":"2026-03-19T12:19:28.799637835Z","id":"RLUA-2026-00138","modified_time":"2026-03-18T12:11:49Z","source":"reversing-labs"}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/bbllaacckkwwoollff6ad8f751"}],"affected":[{"package":{"name":"bbllaacckkwwoollff6ad8f751","ecosystem":"PyPI","purl":"pkg:pypi/bbllaacckkwwoollff6ad8f751"},"versions":["0.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/bbllaacckkwwoollff6ad8f751/MAL-2025-3432.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"ANALYST"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}