{"id":"MAL-2025-47762","summary":"Malicious code in electrum-bch (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (8e4c3bb0f735a352c6f4d18865f3a145912c31f6b9da22c48e731e7fe750b1dd)\nThe modification of https://github.com/spesmilo/electrum (not clear which version or fork) that during usage will exfiltrate files from the current directory, presumably wanting to collect sensitive data.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-08-electrum-bch\n\n\nReasons (based on the campaign):\n\n\n - crypto-related\n\n\n - action-hidden-in-lib-usage\n\n\n - exfiltration-crypto\n\n\n - exfiltration-generic\n\n\n - clones-real-package\n","modified":"2026-03-19T12:52:47.445162Z","published":"2025-08-23T11:16:26Z","database_specific":{"iocs":{"ips":["136.243.103.253"],"urls":["http://136.243.103.253:8080/upload"]},"malicious-packages-origins":[{"versions":["0.3.6","0.3.7","0.3.8","0.3.9"],"import_time":"2025-09-26T11:05:32.592233195Z","id":"RLMA-2025-04763","sha256":"d2bb6f0671f65c17290c09be93e9e37c8619fdd1be42ba85f5e96b63f3645e5d","source":"reversing-labs","modified_time":"2025-09-26T09:13:55Z"},{"versions":["0.3.9","0.3.8","0.3.7","0.3.6","0.3.5"],"import_time":"2025-12-02T22:30:55.125312163Z","id":"pypi/2025-08-electrum-bch/electrum-bch","sha256":"709670ac9cef9e8f4a4d2a2e93d9ea07c9892f2237dd309c3294ae84c4d6915a","source":"kam193","modified_time":"2025-08-23T11:16:26.305373Z"},{"versions":["0.3.9","0.3.8","0.3.7","0.3.6","0.3.5"],"import_time":"2025-12-02T23:07:18.136008125Z","id":"pypi/2025-08-electrum-bch/electrum-bch","sha256":"8e4c3bb0f735a352c6f4d18865f3a145912c31f6b9da22c48e731e7fe750b1dd","source":"kam193","modified_time":"2025-08-23T11:16:26.305373Z"},{"versions":["0.3.5","0.3.6","0.3.7","0.3.8","0.3.9"],"import_time":"2025-12-30T22:39:04.077760618Z","id":"pypi/2025-08-electrum-bch/electrum-bch","sha256":"22c1e1447fff58ea767fecde710b5f63112c0d85e8ab703e7f54ec3db6e0c99f","source":"kam193","modified_time":"2025-08-23T11:16:26.305373Z"},{"versions":["0.3.5"],"import_time":"2026-03-19T12:19:42.553014188Z","id":"RLUA-2026-00291","sha256":"aa432205fe76bdee20f45fe50205a4f4ad039d58d789b48c11c52feae8b0d19e","source":"reversing-labs","modified_time":"2026-03-18T12:13:30Z"}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/electrum-bch"}],"affected":[{"package":{"name":"electrum-bch","ecosystem":"PyPI","purl":"pkg:pypi/electrum-bch"},"versions":["0.3.6","0.3.7","0.3.8","0.3.9","0.3.5"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/electrum-bch/MAL-2025-47762.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}