{"id":"MAL-2025-5130","summary":"Malicious code in rich-figlet (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (b97458c87c8580a9cb2f2edc0af2ae40a36489dafa860102eee0307256cb416b)\nMalicious clone of pyfiglet. Importing the package starts a series of downloading and executing of obfuscated malicious scripts, partially identified by AVs.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-05-rich-figlet\n\n\nReasons (based on the campaign):\n\n\n - backdoor\n\n\n - clones-real-package\n\n\n - obfuscation\n\n\n - Downloads and executes a remote malicious script.\n","modified":"2026-03-19T12:56:33.447814Z","published":"2025-05-15T21:07:23Z","database_specific":{"malicious-packages-origins":[{"import_time":"2025-06-18T15:06:02.828764956Z","modified_time":"2025-06-18T10:15:20Z","id":"RLMA-2025-03027","source":"reversing-labs","sha256":"1fb8756d54415e4db8b88e0020d0e3790706d1a99fd9e1d35a53c60df6e88bb5","versions":["0.0.1","0.0.2"]},{"import_time":"2025-12-02T22:30:55.546957178Z","source":"kam193","modified_time":"2025-05-15T21:07:23Z","id":"pypi/2025-05-rich-figlet/rich-figlet","sha256":"ae8f9120c124773c46c7642ae7b481a2c7fcbb3efc7ede6d3bbd4ae9cd685abb","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}]},{"import_time":"2025-12-02T23:07:18.586108477Z","source":"kam193","modified_time":"2025-05-15T21:07:23Z","id":"pypi/2025-05-rich-figlet/rich-figlet","sha256":"b97458c87c8580a9cb2f2edc0af2ae40a36489dafa860102eee0307256cb416b","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}]},{"import_time":"2025-12-10T21:38:57.793769267Z","modified_time":"2025-05-15T21:07:23Z","id":"pypi/2025-05-rich-figlet/rich-figlet","source":"kam193","sha256":"b04142554fcdf43b5220b5775730a7d3ed985e64437f34bbc6217d0753b75d7e","versions":["0.0.2","0.0.1"]},{"import_time":"2025-12-30T22:39:04.164085173Z","modified_time":"2025-05-15T21:07:23Z","id":"pypi/2025-05-rich-figlet/rich-figlet","source":"kam193","sha256":"25c5d33ac4481cbfe7f6d5f2efc5bb88a41fbcd5ba7d05e747061aa5f73f3a2a","versions":["0.0.1","0.0.2"]},{"import_time":"2026-03-19T12:20:24.082200643Z","modified_time":"2026-03-18T12:18:23Z","id":"RLUA-2026-00722","source":"reversing-labs","sha256":"f2f26985d65eda7a5a25fee5dc18e753eab648063d1d095954b6dd79be7a69d6"}],"iocs":{"ips":["185.254.198.245"],"urls":["http://185.254.198.245:8080/update?token=4z1m6qbi4vzpwykp8YK4wAeZX89gbdwSy3dSCBGy2rkMjG5D0Alp5WO1RgktLeYk&platform=","http://185.254.198.245:80/admin/get.php","http://185.254.198.245:80/login/process.php"]}},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/rich-figlet"}],"affected":[{"package":{"name":"rich-figlet","ecosystem":"PyPI","purl":"pkg:pypi/rich-figlet"},"versions":["0.0.1","0.0.2"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/rich-figlet/MAL-2025-5130.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"ANALYST"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}