{"id":"MAL-2025-6478","summary":"Malicious code in cloudscrapersafe (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (2420d6a750823b640af4d97d3a2a26383ce9e32d3ac266e4792675e8beb9b806)\nDuring processing the user requests, the package looks for URLs related to checkouts using services:\n- credomatic.compassmerchantsolutions.com\n- checkout.baccredomatic.com\nand exfiltrates given credit card numbers, verification codes etc. Interestingly, it checks even 3DS responses.\n\nClone of the legitimate \"cloudscraper\" package.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-07-cloudscrapersafe\n\n\nReasons (based on the campaign):\n\n\n - action-hidden-in-lib-usage\n\n\n - exfiltration-generic\n\n\n - clones-real-package\n","modified":"2026-03-19T12:51:46.977932Z","published":"2025-07-06T15:18:55Z","database_specific":{"malicious-packages-origins":[{"versions":["3.0.0","3.1.0","3.1.1"],"modified_time":"2025-07-31T19:14:33Z","source":"reversing-labs","import_time":"2025-08-01T10:07:10.358657955Z","sha256":"aaa50ce8270e9aea79dd5e82e629190c5453fa565f609771d277746bf84de6e2","id":"RLMA-2025-03563"},{"modified_time":"2025-07-06T15:18:55Z","source":"kam193","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"import_time":"2025-12-02T22:30:55.044692709Z","sha256":"6944a90e2050c1774fddbb3e1bc7bac1c298245b9deef45fb50fd828a4050ed5","id":"pypi/2025-07-cloudscrapersafe/cloudscrapersafe"},{"modified_time":"2025-07-06T15:18:55Z","source":"kam193","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"import_time":"2025-12-02T23:07:18.052906441Z","sha256":"2420d6a750823b640af4d97d3a2a26383ce9e32d3ac266e4792675e8beb9b806","id":"pypi/2025-07-cloudscrapersafe/cloudscrapersafe"},{"versions":["3.0.0","3.1.0","3.1.1"],"modified_time":"2025-07-06T15:18:55Z","source":"kam193","import_time":"2025-12-10T21:38:57.343196157Z","sha256":"51d27c65c6f9d6dc0bf33a47219228da73ffd60b15808b0bf0b8a4bd027fb16c","id":"pypi/2025-07-cloudscrapersafe/cloudscrapersafe"},{"modified_time":"2026-03-18T12:12:26Z","source":"reversing-labs","import_time":"2026-03-19T12:19:33.698411843Z","sha256":"8f9df6a19142786919843598f583185471e6b998b404faf0fa7316526da472eb","id":"RLUA-2026-00196"}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/cloudscrapersafe"}],"affected":[{"package":{"name":"cloudscrapersafe","ecosystem":"PyPI","purl":"pkg:pypi/cloudscrapersafe"},"versions":["3.0.0","3.1.0","3.1.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/cloudscrapersafe/MAL-2025-6478.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}