{"id":"MAL-2025-6492","summary":"Malicious code in dbnodeindicator (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (0ca31ed82ece767a66ae60f44cfb3e36aa54f84e952217e36376f6519ac1f777)\nCode download and executes a remote script. At the time of analysis, the remote code just runs a notepad - as so classified as a pentest/research.\n\n\n---\n\nCategory: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.\n\n\nCampaign: 2025-07-db-indicator\n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote malicious script.\n","modified":"2026-03-19T12:52:25.410219Z","published":"2025-07-14T07:20:29Z","database_specific":{"malicious-packages-origins":[{"import_time":"2025-08-01T10:07:10.821406668Z","source":"reversing-labs","versions":["0.1.0","0.1.1"],"id":"RLMA-2025-03583","sha256":"c85e50ef495fafd9089db0b04bd10f6e78ebae729b6a8331fe7fd19df4eab06b","modified_time":"2025-07-31T19:14:51Z"},{"import_time":"2025-12-02T22:30:55.976677471Z","source":"kam193","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"id":"pypi/2025-07-db-indicator/dbnodeindicator","sha256":"583171c72fccbc14a50135c6e8cde528e93a43317676f1822cc918d5878d23a6","modified_time":"2025-07-14T07:20:29.33492Z"},{"import_time":"2025-12-02T23:07:19.169884964Z","source":"kam193","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"id":"pypi/2025-07-db-indicator/dbnodeindicator","sha256":"0ca31ed82ece767a66ae60f44cfb3e36aa54f84e952217e36376f6519ac1f777","modified_time":"2025-07-14T07:20:29.33492Z"},{"import_time":"2025-12-10T21:38:58.30861909Z","source":"kam193","versions":["0.1.0","0.1.1"],"id":"pypi/2025-07-db-indicator/dbnodeindicator","sha256":"10b02e3bcba5234a3604d099f93839353167aff90af04c167fc620be87bc652d","modified_time":"2025-07-14T07:20:29.33492Z"},{"import_time":"2026-03-19T12:19:38.576236284Z","source":"reversing-labs","id":"RLUA-2026-00251","sha256":"82c859f02851c6e743552d9ae603534b4e23da25f4185f8503ee9aedd01d9dc0","modified_time":"2026-03-18T12:13:06Z"}],"iocs":{"urls":["https://api.etherjs.pro/socket"],"domains":["etherjs.pro"]}},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/dbnodeindicator"}],"affected":[{"package":{"name":"dbnodeindicator","ecosystem":"PyPI","purl":"pkg:pypi/dbnodeindicator"},"versions":["0.1.0","0.1.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/dbnodeindicator/MAL-2025-6492.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}