{"id":"MAL-2025-3439","summary":"Malicious code in ccxt-mexc-futures (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (f2eb5eb75679b536c430ad6d5440e63fbe1d1cd391ab1abf2a411dae3a768ed8)\nThere is a hidden code that overwrites the default method and downloads remote data, which contains the dictionary pretending to be the right value, and a hidden code to exfiltrate machine ID and download and run a remote code.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-03-ccxt-mexc-futures\n\n\nReasons (based on the campaign):\n\n\n - obfuscation\n\n\n - Downloads and executes a remote malicious script.\n\n\n - action-hidden-in-lib-usage\n","modified":"2026-03-19T12:51:37.061583Z","published":"2025-03-10T13:30:44Z","database_specific":{"iocs":{"urls":["https://v3.mexc.workers.dev/describe.json","https://update.mexc.workers.dev/"],"domains":["update.mexc.workers.dev","v3.mexc.workers.dev","mexc.workers.dev"]},"malicious-packages-origins":[{"id":"RLMA-2025-02500","import_time":"2025-04-25T09:36:45.676518187Z","source":"reversing-labs","versions":["0.1.4","0.1.5","0.1.6","0.1.7","0.1.8"],"sha256":"f8948ced2172fde60eaa2844530b5eb6d7f7e1c3e46860ffe1787d069de422d5","modified_time":"2025-04-23T16:06:18Z"},{"id":"RLUA-2025-02560","import_time":"2025-05-22T14:07:11.173664858Z","source":"reversing-labs","sha256":"b960a73138bba5d79c9eaf82de51d667fc6305ab577d2bea22bde2b3535461bc","modified_time":"2025-05-22T12:33:27Z"},{"id":"pypi/2025-03-ccxt-mexc-futures/ccxt-mexc-futures","import_time":"2025-12-02T22:30:55.037404078Z","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"source":"kam193","sha256":"116fc2e7a8fe6b235f43036def48255cb8c8a75e7ad046f94155903e29403ca2","modified_time":"2025-03-10T13:30:44Z"},{"id":"pypi/2025-03-ccxt-mexc-futures/ccxt-mexc-futures","import_time":"2025-12-02T23:07:18.045735101Z","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"source":"kam193","sha256":"f2eb5eb75679b536c430ad6d5440e63fbe1d1cd391ab1abf2a411dae3a768ed8","modified_time":"2025-03-10T13:30:44Z"},{"id":"pypi/2025-03-ccxt-mexc-futures/ccxt-mexc-futures","import_time":"2025-12-10T21:38:57.338883868Z","source":"kam193","versions":["0.1.4","0.1.5","0.1.6","0.1.7","0.1.8"],"sha256":"f126fba8fb0e9d3ab356f93681fa35fcec759a2c6af2c6ab549e344ccfe85d38","modified_time":"2025-03-10T13:30:44Z"},{"id":"RLUA-2026-00181","import_time":"2026-03-19T12:19:32.640187643Z","source":"reversing-labs","sha256":"ab711c6084603ee25b3619cb1e58fc0581b22e3a8ce3c15d13fa86252b12eafc","modified_time":"2026-03-18T12:12:17Z"}]},"references":[{"type":"ARTICLE","url":"https://jfrog.com/blog/malicious-pypi-package-hijacks-mexc-orders-steals-crypto-tokens"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/ccxt-mexc-futures"}],"affected":[{"package":{"name":"ccxt-mexc-futures","ecosystem":"PyPI","purl":"pkg:pypi/ccxt-mexc-futures"},"versions":["0.1.4","0.1.5","0.1.6","0.1.7","0.1.8"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/ccxt-mexc-futures/MAL-2025-3439.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}