{"id":"MAL-2025-4237","summary":"Malicious code in rblxfando (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (79348147677636191e632b65c78ba37a77d2ba57abed5c9b257624b0f14ba1b8)\nImporting the module starts delayed downloading and starting a remote executable identified as BlankGrabber infostealer.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-05-rblxfando\n\n\nReasons (based on the campaign):\n\n\n - infostealer\n\n\n - Downloads and executes a remote executable.\n\n\n - malware\n\n\n - infostealer:blankgrabber\n","modified":"2026-03-19T12:56:13.401420Z","published":"2025-05-03T11:28:31Z","database_specific":{"malicious-packages-origins":[{"versions":["0.1"],"import_time":"2025-05-22T14:06:37.376723737Z","source":"reversing-labs","id":"RLMA-2025-02594","sha256":"71c3190c9136aa80c45bfe59119e33d939e8600b15ecee4bb10cbc4f3340220c","modified_time":"2025-05-22T12:33:45Z"},{"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"import_time":"2025-12-02T22:30:55.520804572Z","source":"kam193","id":"pypi/2025-05-rblxfando/rblxfando","sha256":"459f89ba5c8c6277489fa01ac51a1a2a3518da235661931c205639fe510aae8b","modified_time":"2025-05-03T11:28:31Z"},{"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"import_time":"2025-12-02T23:07:18.547346512Z","source":"kam193","id":"pypi/2025-05-rblxfando/rblxfando","sha256":"79348147677636191e632b65c78ba37a77d2ba57abed5c9b257624b0f14ba1b8","modified_time":"2025-05-03T11:28:31Z"},{"versions":["0.1"],"import_time":"2025-12-10T21:38:57.766455011Z","source":"kam193","id":"pypi/2025-05-rblxfando/rblxfando","sha256":"d6a7201f91dc04c7dc3779d41f23f88c22e399e65d5235b56fd5044a353a6383","modified_time":"2025-05-03T11:28:31Z"},{"import_time":"2026-03-19T12:20:20.519021887Z","source":"reversing-labs","id":"RLUA-2026-00687","sha256":"33c2e61cb915612d6b71ff0f34f306d72647056a5333fe9012c753e762bb5da7","modified_time":"2026-03-18T12:18:01Z"}],"iocs":{"urls":["https://www.dropbox.com/scl/fi/ob1loh3prx2ylkyy3yesd/Built.exe?rlkey=9qgzvt2nuwf7nr6pkj2jsp98d&st=h0vqjsbu&dl=1"]}},"references":[{"type":"EVIDENCE","url":"https://tria.ge/250503-njy7na1zgs/static1"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/rblxfando"}],"affected":[{"package":{"name":"rblxfando","ecosystem":"PyPI","purl":"pkg:pypi/rblxfando"},"versions":["0.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/rblxfando/MAL-2025-4237.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"ANALYST"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}