{"id":"MAL-2025-3448","summary":"Malicious code in httpx-client (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (d26dbf9fa1035b8b1e189f67123ee22f506cd21c08e17c282176a716af9da033)\nImporting the module starts downloading and executing first a script, and then a widely identified malware\n\nPackages are used as dependencies in a GitHub project https://github.com/ToolParadiseDrako/Nuker-Tool-Paradise\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-03-httpx-client\n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote executable.\n\n\n - Downloads and executes a remote malicious script.\n\n\n - malware\n","modified":"2026-03-19T12:53:44.632250Z","published":"2025-03-17T21:47:06Z","database_specific":{"malicious-packages-origins":[{"id":"RLMA-2025-02510","import_time":"2025-04-25T09:36:46.479234093Z","versions":["0.0.1"],"modified_time":"2025-04-23T16:06:25Z","sha256":"9ff2d32be1f48fa36bb92be791d851bbd82410dbaff5e4d25129b3f8afac669c","source":"reversing-labs"},{"id":"pypi/2025-03-httpx-client/httpx-client","import_time":"2025-12-02T22:30:55.259505059Z","sha256":"6fdc9cdaef31f88070b3abd593a1854c51a88eba4e915f16c553ce10a5c625fa","modified_time":"2025-03-17T21:47:06Z","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"source":"kam193"},{"id":"pypi/2025-03-httpx-client/httpx-client","import_time":"2025-12-02T23:07:18.283190748Z","sha256":"d26dbf9fa1035b8b1e189f67123ee22f506cd21c08e17c282176a716af9da033","modified_time":"2025-03-17T21:47:06Z","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"source":"kam193"},{"id":"pypi/2025-03-httpx-client/httpx-client","import_time":"2025-12-10T21:38:57.534601197Z","versions":["0.0.1"],"modified_time":"2025-03-17T21:47:06Z","sha256":"a0ed7307c7fc2d4cb66bfc22e731e688cabb34b1b8f481e5faa8cd8bae996cb2","source":"kam193"},{"id":"RLUA-2026-00403","import_time":"2026-03-19T12:19:52.99904183Z","modified_time":"2026-03-18T12:14:47Z","sha256":"87d2fbdf54ffb1b9f5e6d6126bfc59f1e64a6b142880ab859250df371a65d596","source":"reversing-labs"}],"iocs":{"domains":["zetolacs-cloud.top","contorosa.space"],"urls":["https://zetolacs-cloud.top/Stb/Retev.php?bl=Uic2YYQdDhtfiKAZnULCW012.txt","https://raw.githubusercontent.com/mrunknown12321/1234/refs/heads/main/1234","https://raw.githubusercontent.com/VinieClara/FN-Manfiestes/main/SdkVersion.txt"]}},"references":[{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/08a2072bf8e155457afe84d61a9d2e077183b7b8413c9c601c9cf30454c2f4a0"},{"type":"EVIDENCE","url":"https://tria.ge/250316-s2sj2sxmx7"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/httpx-client"}],"affected":[{"package":{"name":"httpx-client","ecosystem":"PyPI","purl":"pkg:pypi/httpx-client"},"versions":["0.0.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/httpx-client/MAL-2025-3448.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}