{"id":"MAL-2025-6496","summary":"Malicious code in doverius (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (c386579381491132baf4d7848ddb82f965c540fb732abb69771325665eabbc63)\nCode is designed to download and run remote scripts during installation, which finally downloads and starts an infostealer\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-06-justanything\n\n\nReasons (based on the campaign):\n\n\n - infostealer\n\n\n - The package overrides the install command in setup.py to execute malicious code during installation.\n\n\n - Downloads and executes a remote malicious script.\n\n\n - Downloads and executes a remote executable.\n","modified":"2026-03-19T12:52:40.132597Z","published":"2025-06-13T14:03:05Z","database_specific":{"malicious-packages-origins":[{"import_time":"2025-08-01T10:07:10.970971168Z","source":"reversing-labs","versions":["0.1"],"sha256":"d85221993acc2bc24d90da7d3b15ce9ca172446cff60a2bb1c87dc146b8dd050","modified_time":"2025-07-31T19:14:54Z","id":"RLMA-2025-03587"},{"import_time":"2025-12-02T22:30:55.112874442Z","source":"kam193","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"sha256":"d4ab7f4df36b800e0eaf41f4d455f5807675d15ca6ed00a7633b4afb6063f5da","modified_time":"2025-06-13T14:03:05Z","id":"pypi/2025-06-justanything/doverius"},{"import_time":"2025-12-02T23:07:18.124487647Z","source":"kam193","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"sha256":"c386579381491132baf4d7848ddb82f965c540fb732abb69771325665eabbc63","modified_time":"2025-06-13T14:03:05Z","id":"pypi/2025-06-justanything/doverius"},{"import_time":"2025-12-10T21:38:57.409376962Z","source":"kam193","versions":["0.1"],"sha256":"67aa21110aecd06adf09f870bd878d943e6ab92f6f0c563b8d2640235277238f","modified_time":"2025-06-13T14:03:05Z","id":"pypi/2025-06-justanything/doverius"},{"import_time":"2026-03-19T12:19:41.616263092Z","source":"reversing-labs","sha256":"9a2f5e82d385b51cbdf0ce96a9f34f933227730fd2a92625b67f7936740877c8","modified_time":"2026-03-18T12:13:24Z","id":"RLUA-2026-00281"}],"iocs":{"urls":["https://fastobfuscate.run/1.txt","https://fastobfuscate.run/main.py","https://fastobfuscate.run/python.exe"],"domains":["fastobfuscate.run"]}},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/doverius"}],"affected":[{"package":{"name":"doverius","ecosystem":"PyPI","purl":"pkg:pypi/doverius"},"versions":["0.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/doverius/MAL-2025-6496.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}