{"id":"MAL-2025-5124","summary":"Malicious code in pyfiglets (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (66caa962e9fedf67dff7c9da840c4a4dcdca71f237d2e36f332f5b5bd32750bc)\nMalicious clone of pyfiglet. Importing the package starts a series of downloading and executing of obfuscated malicious scripts, partially identified by AVs.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-05-rich-figlet\n\n\nReasons (based on the campaign):\n\n\n - backdoor\n\n\n - clones-real-package\n\n\n - obfuscation\n\n\n - Downloads and executes a remote malicious script.\n","modified":"2026-03-19T12:55:52.866938Z","published":"2025-05-15T21:07:23Z","database_specific":{"malicious-packages-origins":[{"sha256":"7198f093584957c553eb8c896044b3cb8bee6bf85c08cf856d8b9d1a63b7f635","versions":["0.0.1"],"id":"RLMA-2025-03021","source":"reversing-labs","modified_time":"2025-06-18T10:15:17Z","import_time":"2025-06-18T15:06:02.229744504Z"},{"sha256":"f3bc7d429d4c5ea06232ecf9601a6791330176593eebb00ff147bbed316bcf1b","source":"kam193","id":"pypi/2025-05-rich-figlet/pyfiglets","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"modified_time":"2025-05-15T21:07:23Z","import_time":"2025-12-02T22:30:55.465800751Z"},{"sha256":"66caa962e9fedf67dff7c9da840c4a4dcdca71f237d2e36f332f5b5bd32750bc","source":"kam193","id":"pypi/2025-05-rich-figlet/pyfiglets","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"modified_time":"2025-05-15T21:07:23Z","import_time":"2025-12-02T23:07:18.490372927Z"},{"sha256":"79a812e77f7536e87dbfbd691f5596b72d2d2821b339ed04f8375462bba36443","versions":["0.0.1"],"id":"pypi/2025-05-rich-figlet/pyfiglets","source":"kam193","modified_time":"2025-05-15T21:07:23Z","import_time":"2025-12-10T21:38:57.705431572Z"},{"sha256":"15693e10c04edbb1252e11a1f26661caa05d3005bdc99dc54a3a80e01e505bcc","id":"RLUA-2026-00633","source":"reversing-labs","modified_time":"2026-03-18T12:17:27Z","import_time":"2026-03-19T12:20:15.622798072Z"}],"iocs":{"urls":["http://185.254.198.245:8080/update?token=4z1m6qbi4vzpwykp8YK4wAeZX89gbdwSy3dSCBGy2rkMjG5D0Alp5WO1RgktLeYk&platform=","http://185.254.198.245:80/admin/get.php","http://185.254.198.245:80/login/process.php"],"ips":["185.254.198.245"]}},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/pyfiglets"}],"affected":[{"package":{"name":"pyfiglets","ecosystem":"PyPI","purl":"pkg:pypi/pyfiglets"},"versions":["0.0.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/pyfiglets/MAL-2025-5124.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"ANALYST"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}