{"id":"MAL-2025-6549","summary":"Malicious code in memtools (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (fafb3bba871c43e80681f3c9f4618ec7547fe2295b120eb93adf31a59bf021f3)\nInstalling the package triggers a code that looks like downloading a picture, but in fact downloads and starts an executable with malware. Note that file supplied from the URL differs depending on the presence of the special header\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-07-memlib\n\n\nReasons (based on the campaign):\n\n\n - The package overrides the install command in setup.py to execute malicious code during installation.\n\n\n - Downloads and executes a remote executable.\n\n\n - malware\n","modified":"2026-03-19T12:54:57.073791Z","published":"2025-07-16T19:47:30Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2025-07-31T19:15:44Z","sha256":"7610337007cb1518ff3ab5fddfce5cdf36a4df92b45d0f389d7e4d333e425780","versions":["2.0.0"],"source":"reversing-labs","import_time":"2025-08-01T10:07:12.662341077Z","id":"RLMA-2025-03646"},{"modified_time":"2025-07-16T19:47:30.822878Z","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"sha256":"442cad9234093b04b5d1e1609b4059b82184819bcbcaf06d71e2e11875b18d5e","source":"kam193","import_time":"2025-12-02T22:30:55.335247775Z","id":"pypi/2025-07-memlib/memtools"},{"modified_time":"2025-07-16T19:47:30.822878Z","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"sha256":"fafb3bba871c43e80681f3c9f4618ec7547fe2295b120eb93adf31a59bf021f3","source":"kam193","import_time":"2025-12-02T23:07:18.364197388Z","id":"pypi/2025-07-memlib/memtools"},{"modified_time":"2025-07-16T19:47:30.822878Z","sha256":"c2e5cff183529e337de2e1618244554c8c3d612b7b3383cf24bd2dcead166fe0","versions":["2.0.0"],"source":"kam193","import_time":"2025-12-10T21:38:57.592839204Z","id":"pypi/2025-07-memlib/memtools"},{"modified_time":"2026-03-18T12:16:01Z","sha256":"c1da537a5e3a142483dd81d21bc6055d761214b7c79c5f50fa2b7c22e1102fab","source":"reversing-labs","import_time":"2026-03-19T12:20:03.637994001Z","id":"RLUA-2026-00513"}],"iocs":{"urls":["https://image-logo-popup-files.vercel.app/public/image.jpg"]}},"references":[{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/0fc1e062c521184f7e0c9f23dfdeb5431414e35cb55886e87c5ff5ec92ff4603"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/memtools"}],"affected":[{"package":{"name":"memtools","ecosystem":"PyPI","purl":"pkg:pypi/memtools"},"versions":["2.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/memtools/MAL-2025-6549.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}