{"id":"MAL-2025-6010","summary":"Malicious code in ruamel-poc (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (1381375ccfff8dc10b3416284ac4a9a91c69bb2d5e7b652a2df24a64f4c5d512)\nInstalling the package or importing the module exfiltrates basic information about the host, and the package has no other purpose.\n\n\n---\n\nCategory: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.\n\n\nCampaign: GENERIC-standard-pypi-install-pentest\n\n\nReasons (based on the campaign):\n\n\n - The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.\n\n\n - The package overrides the install command in setup.py to execute malicious code during installation.\n\n## Source: ossf-package-analysis (8535b01286f7d33300d915d21bc5749c799fbac77f8bc63a9592c9e46afc1b3d)\nThe OpenSSF Package Analysis project identified 'ruamel-poc' @ 0.17.16 (pypi) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2025-12-31T02:56:44.177402Z","published":"2025-07-20T08:05:43Z","database_specific":{"malicious-packages-origins":[{"import_time":"2025-07-20T08:07:51.568273542Z","source":"ossf-package-analysis","modified_time":"2025-07-20T08:05:43Z","sha256":"8535b01286f7d33300d915d21bc5749c799fbac77f8bc63a9592c9e46afc1b3d","versions":["0.17.16"]},{"import_time":"2025-07-20T08:07:51.629642054Z","source":"ossf-package-analysis","modified_time":"2025-07-20T08:05:47Z","sha256":"cebb357392e162b1d4864a43cb98290e8e053c3c629bccf4e5956d4985b39275","versions":["1.17.16"]},{"import_time":"2025-12-02T22:30:56.383203079Z","source":"kam193","modified_time":"2025-07-20T12:06:40.28356Z","id":"pypi/GENERIC-standard-pypi-install-pentest/ruamel-poc","sha256":"2035a1838e6e7355b22342eb1d9f34f68c2eead65a852b15806b2021478f4d83","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}]},{"import_time":"2025-12-02T23:07:19.570420076Z","source":"kam193","modified_time":"2025-07-20T12:06:40.28356Z","id":"pypi/GENERIC-standard-pypi-install-pentest/ruamel-poc","sha256":"1381375ccfff8dc10b3416284ac4a9a91c69bb2d5e7b652a2df24a64f4c5d512","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}]},{"import_time":"2025-12-10T21:38:58.673712541Z","source":"kam193","modified_time":"2025-07-20T12:06:40.28356Z","id":"pypi/GENERIC-standard-pypi-install-pentest/ruamel-poc","sha256":"99a4d31003b7e366ec2c24913976cb4622c234e345e7a7c32a1a5ee48ec0e3cc","versions":["1.17.16","0.17.16"]},{"import_time":"2025-12-30T22:39:04.344694699Z","source":"kam193","modified_time":"2025-07-20T12:06:40.28356Z","id":"pypi/GENERIC-standard-pypi-install-pentest/ruamel-poc","sha256":"36caea90ea40b08a55e0b66b70c46956b9f8e6981ffed3b19ece6e6a7ba776b2","versions":["0.17.16","1.17.16"]}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/ruamel-poc"}],"affected":[{"package":{"name":"ruamel-poc","ecosystem":"PyPI","purl":"pkg:pypi/ruamel-poc"},"versions":["0.17.16","1.17.16"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/ruamel-poc/MAL-2025-6010.json"}}],"schema_version":"1.7.3","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"ANALYST"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}