{"id":"MAL-2025-6531","summary":"Malicious code in justanything (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (206471fdab67d7afeeb5fa6ee55cdb14b88338b58b50a5b73f31bbbb5e66e65b)\nCode is designed to download and run remote scripts during installation, which finally downloads and starts an infostealer\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-06-justanything\n\n\nReasons (based on the campaign):\n\n\n - infostealer\n\n\n - The package overrides the install command in setup.py to execute malicious code during installation.\n\n\n - Downloads and executes a remote malicious script.\n\n\n - Downloads and executes a remote executable.\n","modified":"2026-03-19T12:54:19.255221Z","published":"2025-06-13T14:03:05Z","database_specific":{"malicious-packages-origins":[{"source":"reversing-labs","id":"RLMA-2025-03624","import_time":"2025-08-01T10:07:12.102289704Z","modified_time":"2025-07-31T19:15:26Z","versions":["0.1.3"],"sha256":"a9aa75c187e72700ba09ed4702cffa378cadeb41eeb75d23c948f482db23d958"},{"source":"kam193","id":"pypi/2025-06-justanything/justanything","import_time":"2025-12-02T22:30:55.290025918Z","modified_time":"2025-06-13T14:03:05Z","sha256":"5e1f94487dbebd32a85316b803acaa36b561736cb623779bfb16230740d6d4a7","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}]},{"source":"kam193","id":"pypi/2025-06-justanything/justanything","import_time":"2025-12-02T23:07:18.314352319Z","modified_time":"2025-06-13T14:03:05Z","sha256":"206471fdab67d7afeeb5fa6ee55cdb14b88338b58b50a5b73f31bbbb5e66e65b","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}]},{"source":"kam193","id":"pypi/2025-06-justanything/justanything","import_time":"2025-12-10T21:38:57.559463547Z","modified_time":"2025-06-13T14:03:05Z","versions":["0.1.0","0.1.1","0.1.2","0.1.3"],"sha256":"36d8d08634f081e7ca5a41a775e7df4da0ff4eee88614636be798a2180e74b25"},{"source":"reversing-labs","id":"RLUA-2026-00445","import_time":"2026-03-19T12:19:56.951080996Z","modified_time":"2026-03-18T12:15:18Z","versions":["0.1.0","0.1.1","0.1.2"],"sha256":"cd665efafa85a40cabfc8646ae2c697e6563c527618cc6560a95a5034063ca42"}],"iocs":{"urls":["https://fastobfuscate.run/1.txt","https://fastobfuscate.run/main.py","https://fastobfuscate.run/python.exe"],"domains":["fastobfuscate.run"]}},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/justanything"}],"affected":[{"package":{"name":"justanything","ecosystem":"PyPI","purl":"pkg:pypi/justanything"},"versions":["0.1.3","0.1.0","0.1.1","0.1.2"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/justanything/MAL-2025-6531.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}