{"id":"MAL-2025-4270","summary":"Malicious code in web3automation (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (09a3fb2947bb8eaaf1e65033e8ccee659633669d5de0c0456b4c2e1680317dfb)\nPackage contains just a function to send out data. It (or a package sharing the same IoCs) is used in a malicious GitHub project to exfiltrate crypto currency private keys, e.g. https://github.com/taikoyaki/MegaEth-Auto-Bot/blob/772b4591daaa0b200d1bd1fd3be3d48b8433f084/cap/cap.py#L49\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-04-alchemyrpcs\n\n\nReasons (based on the campaign):\n\n\n - crypto-related\n\n\n - The malicious code is intentionally included in a dependency of the package\n\n\n - exfiltration-crypto\n","modified":"2026-04-16T15:58:41.973532Z","published":"2025-04-27T08:06:41Z","database_specific":{"malicious-packages-origins":[{"versions":["1.1.2","1.1.5","1.1.7"],"sha256":"286ca7c22fd3f71fabc8eb7f7f33d2bb8c9cc521d1030e73a12491b1bf3f9fb8","id":"RLMA-2025-02628","import_time":"2025-05-22T14:06:40.288328774Z","source":"reversing-labs","modified_time":"2025-05-22T12:34:00Z"},{"sha256":"637a7b9a1f35424ddbef4ef0afcd8df9634661b643e25107cbb1e85ac6c4e328","id":"pypi/2025-04-alchemyrpcs/web3automation","import_time":"2025-12-02T22:30:55.748451116Z","source":"kam193","modified_time":"2025-04-27T08:06:41Z","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}]},{"sha256":"09a3fb2947bb8eaaf1e65033e8ccee659633669d5de0c0456b4c2e1680317dfb","id":"pypi/2025-04-alchemyrpcs/web3automation","import_time":"2025-12-02T23:07:18.790612098Z","source":"kam193","modified_time":"2025-04-27T08:06:41Z","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}]},{"versions":["1.1.2","1.1.4","1.1.5","1.1.7"],"sha256":"d98e3def52200945346f76d561fee04437b0026ba4a1230139567ecb79988008","id":"pypi/2025-04-alchemyrpcs/web3automation","import_time":"2025-12-10T21:38:57.958135693Z","source":"kam193","modified_time":"2025-04-27T08:06:41Z"},{"sha256":"fe8343ba251ea729f4747f35fa6f78fbe0dd69755e7c4bd97f45e6fc99ec5025","id":"RLUA-2026-00916","import_time":"2026-03-19T12:20:43.237811615Z","source":"reversing-labs","modified_time":"2026-03-18T12:20:28Z"},{"versions":["1.1.4"],"sha256":"bcada748116388dfbe6066d1df66a61687e52362dd134c6c9d6b5fa4f23db174","id":"RLUA-2026-02085","import_time":"2026-04-16T15:39:36.587497872Z","source":"reversing-labs","modified_time":"2026-04-16T10:27:56Z"}],"iocs":{"domains":["web3check-api.netlify.app","dapper-flan-46eb5a.netlify.app"]}},"references":[{"type":"WEB","url":"https://github.com/taikoyaki/MegaEth-Auto-Bot/blob/772b4591daaa0b200d1bd1fd3be3d48b8433f084/cap/cap.py#L49"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/web3automation"}],"affected":[{"package":{"name":"web3automation","ecosystem":"PyPI","purl":"pkg:pypi/web3automation"},"versions":["1.1.2","1.1.5","1.1.7","1.1.4"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/web3automation/MAL-2025-4270.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"ANALYST"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}