{"id":"MAL-2025-5127","summary":"Malicious code in requestpackat (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (b70e437edd04a30f48e384a4a07cdb1790dcb5e6a66ba800dc1703bf845a6b36)\nCode download and runs an executable, which is widely recognized as malware. The system is also configured to run it on startup, and the file is saved in paths attempting to look as a system file.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-05-requestpackat\n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote executable.\n\n\n - malware\n\n\n - peristence-autorun\n","modified":"2026-03-19T12:56:17.140221Z","published":"2025-05-15T18:11:34Z","database_specific":{"malicious-packages-origins":[{"import_time":"2025-06-18T15:06:02.512242444Z","modified_time":"2025-06-18T10:15:19Z","versions":["1.0.1","1.0.2"],"source":"reversing-labs","id":"RLMA-2025-03024","sha256":"bd9fa31de2e6585f8ff120c4dc6ec856376f193db6aaafc59c77c2ebdaae7af3"},{"import_time":"2025-12-02T22:30:55.537428731Z","modified_time":"2025-05-15T18:11:34Z","source":"kam193","id":"pypi/2025-05-requestpackat/requestpackat","sha256":"8ec797580e984c82836fdf3d52adc8441744a46da5d0f602f189a96fba6a9c1f","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}]},{"import_time":"2025-12-02T23:07:18.575881016Z","modified_time":"2025-05-15T18:11:34Z","source":"kam193","id":"pypi/2025-05-requestpackat/requestpackat","sha256":"b70e437edd04a30f48e384a4a07cdb1790dcb5e6a66ba800dc1703bf845a6b36","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}]},{"import_time":"2025-12-10T21:38:57.784699921Z","modified_time":"2025-05-15T18:11:34Z","versions":["1.0.1","1.0.2"],"source":"kam193","id":"pypi/2025-05-requestpackat/requestpackat","sha256":"ee2729f4331f0e1f42f440b377e789ff4b1afcdc427986769e6fcdfad25167ce"},{"import_time":"2026-03-19T12:20:22.411196794Z","modified_time":"2026-03-18T12:18:12Z","source":"reversing-labs","id":"RLUA-2026-00704","sha256":"f70b8dd5337e5eac2517248cbc9fe4266de761329e07af3c8597d85a98b42b41"}],"iocs":{"urls":["https://github.com/FaresEI3RAB/Fares/raw/refs/heads/main/svchost.exe","https://pastebin.com/raw/hxAQV6Nq","https://pastebin.com/raw/Z4VMbzLP"]}},"references":[{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/b9a07b5b22c1f49f2f28e5cb4c9854557e3ac8bf9d1a7c348236f6f226f7f9ab"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/requestpackat"}],"affected":[{"package":{"name":"requestpackat","ecosystem":"PyPI","purl":"pkg:pypi/requestpackat"},"versions":["1.0.1","1.0.2"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/requestpackat/MAL-2025-5127.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}