{"id":"MAL-2025-4238","summary":"Malicious code in reqinstall (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (fabb4dfb4f519f848a714f96e09e2b5fbb289ffdd8cd86fc13c8fbf49b539962)\nCampaign is split into multiple packages that altogether exfiltrates data from desktop Telegram application.\n\n1. \"pyapiepo\" is a cover package that provides some useless features BUT also imports \"zscaner\"\n2. \"zscaner\", when imported, automatically runs a function that is an entry point to the whole process; it uses the \"scan\" from \"reqinstall\" to walk through directories. The package also provides main logic: filtering files, triggering archiving directories and exfiltrating them. \n3. \"reqinstall\" ensures \"requests\" are installed and provides a directory tree scanning function.\n4. \"zmaker\" provides functions to build archives from collected files.\n5. \"zsender\" provides functions to exfiltrate data, the remote URL and a function to deobfuscate configuration in other packages.\n\nAltogether, they look for \"Telegram Desktop\" folder, archive user data stored there and exfiltrate to a remote location.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-04-zscaner\n\n\nReasons (based on the campaign):\n\n\n - target:telegram\n\n\n - exfiltration-generic\n\n\n - The malicious code is intentionally included in a dependency of the package\n","modified":"2026-03-19T12:56:14.785200Z","published":"2025-04-20T12:05:56Z","database_specific":{"iocs":{"ips":["77.91.76.45"],"urls":["http://77.91.76.45:100/OPEN"]},"malicious-packages-origins":[{"source":"reversing-labs","modified_time":"2025-05-22T12:33:45Z","import_time":"2025-05-22T14:06:37.465137224Z","id":"RLMA-2025-02595","sha256":"1efe69752fd9b5fc4bb5712690e4f0f9bc53b6ce064a36f47099c69e8c5f8f3d","versions":["1.0.1","1.1.0"]},{"source":"kam193","modified_time":"2025-04-20T12:05:56Z","import_time":"2025-12-02T22:30:55.532555924Z","id":"pypi/2025-04-zscaner/reqinstall","sha256":"14ef3a9cd087aa6eaa13b2eebfef3239602dc8ff30a8ddc4508d6762aa38c342","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}]},{"source":"kam193","modified_time":"2025-04-20T12:05:56Z","import_time":"2025-12-02T23:07:18.570329289Z","id":"pypi/2025-04-zscaner/reqinstall","sha256":"fabb4dfb4f519f848a714f96e09e2b5fbb289ffdd8cd86fc13c8fbf49b539962","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}]},{"source":"kam193","modified_time":"2025-04-20T12:05:56Z","import_time":"2025-12-10T21:38:57.779299203Z","id":"pypi/2025-04-zscaner/reqinstall","sha256":"783763ebdfa4122fcaa11495aab7006a4771040ef9c11a1d274356be7552a37f","versions":["1.0.1","1.1.0"]},{"source":"reversing-labs","modified_time":"2026-03-18T12:18:09Z","import_time":"2026-03-19T12:20:21.893993973Z","id":"RLUA-2026-00699","sha256":"a3ba2157bc4864351efb57f77ff00f31e03bfc0ccfc3ca93d192b09ac62daec1"}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/reqinstall"}],"affected":[{"package":{"name":"reqinstall","ecosystem":"PyPI","purl":"pkg:pypi/reqinstall"},"versions":["1.0.1","1.1.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/reqinstall/MAL-2025-4238.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}