{"id":"MAL-2025-4526","summary":"Malicious code in caixaequ2ahzoop (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (da1d699d5d12de135ae0da4180622e30084a77fd76ee5cd36fe5667ce14c4bbe)\nObfuscated code gets a command from the remote target and executes it. At the time of the test, it was just \"whoami\". Thus, it's rather just an experiment\n\n\n---\n\nCategory: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.\n\n\nCampaign: 2025-05-caixaequ2ahzoop\n\n\nReasons (based on the campaign):\n\n\n - obfuscation\n\n\n - The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.\n\n## Source: ossf-package-analysis (82f9967b944983f117b085820df45222a6d7e6cfd130081af546f52071f9e21d)\nThe OpenSSF Package Analysis project identified 'caixaequ2ahzoop' @ 2.0.0 (pypi) as malicious.\n\nIt is considered malicious because:\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2025-12-12T20:34:14.463100Z","published":"2025-05-27T14:52:36Z","database_specific":{"iocs":{"domains":["d3gnpasobcdyif.cloudfront.net"]},"malicious-packages-origins":[{"sha256":"82f9967b944983f117b085820df45222a6d7e6cfd130081af546f52071f9e21d","versions":["2.0.0"],"source":"ossf-package-analysis","import_time":"2025-05-28T02:35:47.412678282Z","modified_time":"2025-05-27T14:52:36Z"},{"sha256":"d1dea941c248c1d64b68f80e89ff01f645683d7b5d8ec260709e4f43191fb222","versions":["2.0.1"],"source":"ossf-package-analysis","import_time":"2025-05-28T02:35:47.502811603Z","modified_time":"2025-05-27T15:06:15Z"},{"sha256":"9545f83711d0d85c5530e296ec6ef300f8785f643cdc77efc3ca7c7e2a486002","source":"kam193","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"id":"pypi/2025-05-caixaequ2ahzoop/caixaequ2ahzoop","import_time":"2025-12-02T22:30:55.928509781Z","modified_time":"2025-05-28T01:52:43Z"},{"sha256":"da1d699d5d12de135ae0da4180622e30084a77fd76ee5cd36fe5667ce14c4bbe","source":"kam193","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"id":"pypi/2025-05-caixaequ2ahzoop/caixaequ2ahzoop","import_time":"2025-12-02T23:07:19.11853038Z","modified_time":"2025-05-28T01:52:43Z"},{"sha256":"8bc44605b08b6de7f77947a3a750f4b38145f3f1e6bd9075d1cd269489d4f9c4","versions":["2.0.0","2.0.1"],"source":"kam193","id":"pypi/2025-05-caixaequ2ahzoop/caixaequ2ahzoop","import_time":"2025-12-10T21:38:58.252250813Z","modified_time":"2025-05-28T01:52:43Z"}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/caixaequ2ahzoop"}],"affected":[{"package":{"name":"caixaequ2ahzoop","ecosystem":"PyPI","purl":"pkg:pypi/caixaequ2ahzoop"},"versions":["2.0.0","2.0.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/caixaequ2ahzoop/MAL-2025-4526.json"}}],"schema_version":"1.7.3","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}