{"id":"MAL-2025-6483","summary":"Malicious code in cpan (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (e70433969aea3c8283f99098b25b8a598f427b5fd451e9bfd5bc46098704bfb2)\nInstalling the package starts a revshell and download and starts a remote script (depending on version, different malicious functionality). The name seems to imitate CPAN.org\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-06-cpan\n\n\nReasons (based on the campaign):\n\n\n - The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine.\n\n\n - impersonation\n\n\n - Downloads and executes a remote malicious script.\n","modified":"2026-03-19T12:52:04.192895Z","published":"2025-06-28T09:28:42Z","database_specific":{"malicious-packages-origins":[{"sha256":"bd1681dc89631934bce508a308d2c708603f6d09ca9cb6efbe90f4b33d1cbaea","versions":["0.0.2","0.0.3"],"modified_time":"2025-07-31T19:14:43Z","import_time":"2025-08-01T10:07:10.52261363Z","id":"RLMA-2025-03574","source":"reversing-labs"},{"sha256":"7d1167d235aa8d1bfa384247116621d8a00d34455aabf31bc8f46e5f348ae7b2","modified_time":"2025-06-28T09:28:42Z","import_time":"2025-12-02T22:30:55.072464118Z","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"id":"pypi/2025-06-cpan/cpan","source":"kam193"},{"sha256":"e70433969aea3c8283f99098b25b8a598f427b5fd451e9bfd5bc46098704bfb2","modified_time":"2025-06-28T09:28:42Z","import_time":"2025-12-02T23:07:18.082630638Z","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"id":"pypi/2025-06-cpan/cpan","source":"kam193"},{"sha256":"58814925612b24ead324b54f764c54aea2512fe1a85e1ba3fd152395a2acaa93","versions":["0.0.1","0.0.2","0.0.3"],"modified_time":"2025-06-28T09:28:42Z","import_time":"2025-12-10T21:38:57.374165892Z","id":"pypi/2025-06-cpan/cpan","source":"kam193"},{"sha256":"4b423c9367571c3f7f63f1df132ff76424ff0cebb455a95d212c659dac56bbb8","versions":["0.0.1"],"modified_time":"2026-03-18T12:12:51Z","import_time":"2026-03-19T12:19:36.34520604Z","id":"RLUA-2026-00226","source":"reversing-labs"}],"iocs":{"ips":["124.221.175.251"],"urls":["http://124.221.175.251/11.sh","http://124.221.175.251/start.sh"]}},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/cpan"}],"affected":[{"package":{"name":"cpan","ecosystem":"PyPI","purl":"pkg:pypi/cpan"},"versions":["0.0.2","0.0.3","0.0.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/cpan/MAL-2025-6483.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}