{"id":"MAL-2025-4273","summary":"Malicious code in websign (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (25ea98e45fc0e99bfc731d77e2205bd14c901fc33ba6b8639b441b97739db0e2)\nPackage contains just a function to send out data. It (or a package sharing the same IoCs) is used in a malicious GitHub project to exfiltrate crypto currency private keys, e.g. https://github.com/taikoyaki/MegaEth-Auto-Bot/blob/772b4591daaa0b200d1bd1fd3be3d48b8433f084/cap/cap.py#L49\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-04-alchemyrpcs\n\n\nReasons (based on the campaign):\n\n\n - crypto-related\n\n\n - The malicious code is intentionally included in a dependency of the package\n\n\n - exfiltration-crypto\n","modified":"2026-03-19T12:58:22.651006Z","published":"2025-04-27T08:06:41Z","database_specific":{"malicious-packages-origins":[{"sha256":"4a59dc6694a22280d53c39ce67f7230e3ebda36804168fcb82211273e324d878","modified_time":"2025-05-22T12:34:01Z","import_time":"2025-05-22T14:06:40.551739356Z","source":"reversing-labs","id":"RLMA-2025-02631","versions":["0.1.0"]},{"sha256":"6505d88c061e297b18178a440c9d55729c873a37a57a09115befe1fb6eb2a22e","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"modified_time":"2025-04-27T08:06:41Z","import_time":"2025-12-02T22:30:55.761624805Z","source":"kam193","id":"pypi/2025-04-alchemyrpcs/websign"},{"sha256":"25ea98e45fc0e99bfc731d77e2205bd14c901fc33ba6b8639b441b97739db0e2","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"modified_time":"2025-04-27T08:06:41Z","import_time":"2025-12-02T23:07:18.804031341Z","source":"kam193","id":"pypi/2025-04-alchemyrpcs/websign"},{"sha256":"1c2cd23b18ab4866022a4e611707833e084f18086971595f873b40013905455b","modified_time":"2025-04-27T08:06:41Z","import_time":"2025-12-10T21:38:57.97003683Z","source":"kam193","id":"pypi/2025-04-alchemyrpcs/websign","versions":["0.1.0"]},{"sha256":"7b3df3514dc1c53965225b35305ca024f87fd90d1481ec4698f8023330d10283","modified_time":"2026-03-18T12:20:33Z","import_time":"2026-03-19T12:20:44.064544521Z","source":"reversing-labs","id":"RLUA-2026-00925"}],"iocs":{"domains":["web3check-api.netlify.app","dapper-flan-46eb5a.netlify.app"]}},"references":[{"type":"WEB","url":"https://github.com/taikoyaki/MegaEth-Auto-Bot/blob/772b4591daaa0b200d1bd1fd3be3d48b8433f084/cap/cap.py#L49"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/websign"}],"affected":[{"package":{"name":"websign","ecosystem":"PyPI","purl":"pkg:pypi/websign"},"versions":["0.1.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/websign/MAL-2025-4273.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}