{"id":"MAL-2025-3435","summary":"Malicious code in bbllaacckkwwoollff6ad8f762 (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (4d90faddd66012c6f6fadc95f0a0e846b70504ed6ea47a65576ef5c4067a4985)\nDuring installation, the code either exfiltrate some information about the system or download and execute remote code\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-03-blackwolf\n\n\nReasons (based on the campaign):\n\n\n - The package overrides the install command in setup.py to execute malicious code during installation.\n\n\n - exfiltration-generic\n\n\n - Downloads and executes a remote malicious script.\n","modified":"2026-03-19T12:51:05.555260Z","published":"2025-03-24T08:08:10Z","database_specific":{"iocs":{"domains":["blackwolf.obs.cn-north-4.myhuaweicloud.com"]},"malicious-packages-origins":[{"import_time":"2025-04-25T09:36:45.125374641Z","modified_time":"2025-04-23T16:06:15Z","source":"reversing-labs","id":"RLMA-2025-02494","sha256":"1a7ca5dd9246f809a111116ae7063c65b60926ec2bd67a7e9c8cd141084ea05a","versions":["0.1","0.2","0.3"]},{"import_time":"2025-12-02T22:30:54.981847692Z","modified_time":"2025-03-24T08:08:10Z","source":"kam193","id":"pypi/2025-03-blackwolf/bbllaacckkwwoollff6ad8f762","sha256":"a0c16b7657653def9f66b50e8d66c0edf6cbd46d2134e1f6762a419236d51e15","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}]},{"import_time":"2025-12-02T23:07:18.011614862Z","modified_time":"2025-03-24T08:08:10Z","source":"kam193","id":"pypi/2025-03-blackwolf/bbllaacckkwwoollff6ad8f762","sha256":"4d90faddd66012c6f6fadc95f0a0e846b70504ed6ea47a65576ef5c4067a4985","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}]},{"import_time":"2025-12-10T21:38:57.313150216Z","modified_time":"2025-03-24T08:08:10Z","source":"kam193","id":"pypi/2025-03-blackwolf/bbllaacckkwwoollff6ad8f762","sha256":"2ebe8d10a9c8f194337ad8c083971ab38c94aef91942c7c9e3cfafd602f2a289","versions":["0.1","0.2","0.3"]},{"import_time":"2026-03-19T12:19:29.066397546Z","modified_time":"2026-03-18T12:11:51Z","source":"reversing-labs","id":"RLUA-2026-00141","sha256":"3efc7c8b48c8361aaa7526270e1ad27546670b25b60ced6c5d920104ed7adabc"}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/bbllaacckkwwoollff6ad8f762"}],"affected":[{"package":{"name":"bbllaacckkwwoollff6ad8f762","ecosystem":"PyPI","purl":"pkg:pypi/bbllaacckkwwoollff6ad8f762"},"versions":["0.1","0.2","0.3"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/bbllaacckkwwoollff6ad8f762/MAL-2025-3435.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"ANALYST"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}