{"id":"MAL-2025-6547","summary":"Malicious code in memlib (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (a0d0e362d3ea9b768078a9e47f80c667acef799c7099f8044e74fd1738fdedb4)\nInstalling the package triggers a code that looks like downloading a picture, but in fact downloads and starts an executable with malware. Note that file supplied from the URL differs depending on the presence of the special header\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-07-memlib\n\n\nReasons (based on the campaign):\n\n\n - The package overrides the install command in setup.py to execute malicious code during installation.\n\n\n - Downloads and executes a remote executable.\n\n\n - malware\n","modified":"2026-03-19T12:54:57.060187Z","published":"2025-07-16T19:46:02Z","database_specific":{"malicious-packages-origins":[{"versions":["2.0.0"],"import_time":"2025-08-01T10:07:12.593648595Z","id":"RLMA-2025-03644","modified_time":"2025-07-31T19:15:43Z","sha256":"e424a3ccba21168bc30bb897ea5eb6e2943ee8a5554c39eec55f049031239127","source":"reversing-labs"},{"source":"kam193","import_time":"2025-12-02T22:30:55.333720421Z","id":"pypi/2025-07-memlib/memlib","modified_time":"2025-07-16T19:46:02.684371Z","sha256":"de3ef8a2a725d846e8066394b238be79bfe0d7b7e7c3b653dc1b5e7dc12361d2","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}]},{"source":"kam193","import_time":"2025-12-02T23:07:18.3624201Z","id":"pypi/2025-07-memlib/memlib","modified_time":"2025-07-16T19:46:02.684371Z","sha256":"a0d0e362d3ea9b768078a9e47f80c667acef799c7099f8044e74fd1738fdedb4","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}]},{"versions":["2.0.0"],"import_time":"2025-12-10T21:38:57.591212641Z","id":"pypi/2025-07-memlib/memlib","modified_time":"2025-07-16T19:46:02.684371Z","sha256":"d5e00072c0ca596f2cfeffed47046624395c7ae0158ae4df3ef306239b6109f8","source":"kam193"},{"source":"reversing-labs","import_time":"2026-03-19T12:20:03.426697597Z","id":"RLUA-2026-00511","modified_time":"2026-03-18T12:16:00Z","sha256":"3824a3e69aad7c7ad9b98554d431c114976015a7766187d94716b68048cc4f45"}],"iocs":{"urls":["https://image-logo-popup-files.vercel.app/public/image.jpg"]}},"references":[{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/0fc1e062c521184f7e0c9f23dfdeb5431414e35cb55886e87c5ff5ec92ff4603"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/memlib"}],"affected":[{"package":{"name":"memlib","ecosystem":"PyPI","purl":"pkg:pypi/memlib"},"versions":["2.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/memlib/MAL-2025-6547.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}