{"id":"MAL-2025-3433","summary":"Malicious code in bbllaacckkwwoollff6ad8f752 (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (e1532a9577dc6edfd513dfbb1f189bc4cd08297e76c1f93bb2bf25ceaa210618)\nDuring installation, the code either exfiltrate some information about the system or download and execute remote code\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-03-blackwolf\n\n\nReasons (based on the campaign):\n\n\n - The package overrides the install command in setup.py to execute malicious code during installation.\n\n\n - exfiltration-generic\n\n\n - Downloads and executes a remote malicious script.\n","modified":"2026-03-19T12:51:05.099317Z","published":"2025-03-24T08:08:10Z","database_specific":{"malicious-packages-origins":[{"import_time":"2025-04-25T09:36:44.940726324Z","modified_time":"2025-04-23T16:06:15Z","id":"RLMA-2025-02492","versions":["0.1","0.2"],"source":"reversing-labs","sha256":"72e980b84ba0111bc57e8e35b03f96d070fbde5a53269d37a5b1c882b72fa4f0"},{"import_time":"2025-12-02T22:30:54.978980019Z","modified_time":"2025-03-24T08:08:10Z","id":"pypi/2025-03-blackwolf/bbllaacckkwwoollff6ad8f752","sha256":"bdf7126792a545d18d203fe68b591281199352da9d1ad033874610731c1187f7","source":"kam193","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}]},{"import_time":"2025-12-02T23:07:18.009891194Z","modified_time":"2025-03-24T08:08:10Z","id":"pypi/2025-03-blackwolf/bbllaacckkwwoollff6ad8f752","sha256":"e1532a9577dc6edfd513dfbb1f189bc4cd08297e76c1f93bb2bf25ceaa210618","source":"kam193","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}]},{"import_time":"2025-12-10T21:38:57.311461218Z","modified_time":"2025-03-24T08:08:10Z","id":"pypi/2025-03-blackwolf/bbllaacckkwwoollff6ad8f752","versions":["0.1","0.2"],"source":"kam193","sha256":"2b769543b9f9334486333199ed4553df7dce7b143a6f7d18a0182253891c40c6"},{"import_time":"2026-03-19T12:19:28.899727742Z","modified_time":"2026-03-18T12:11:50Z","id":"RLUA-2026-00139","source":"reversing-labs","sha256":"0c8e7c8a388b6004c9885200a90d6e92d97521286dfce3319430f0f8d158710d"}],"iocs":{"domains":["blackwolf.obs.cn-north-4.myhuaweicloud.com"]}},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/bbllaacckkwwoollff6ad8f752"}],"affected":[{"package":{"name":"bbllaacckkwwoollff6ad8f752","ecosystem":"PyPI","purl":"pkg:pypi/bbllaacckkwwoollff6ad8f752"},"versions":["0.1","0.2"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/bbllaacckkwwoollff6ad8f752/MAL-2025-3433.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"ANALYST"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}