{"id":"MAL-2025-6558","summary":"Malicious code in node-db-indicator (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (7c9a18fe9ea04133e7de33313046092ffb5e8ccef6c1bf5f44e9b6d5e3835aa2)\nCode download and executes a remote script. At the time of analysis, the remote code just runs a notepad - as so classified as a pentest/research.\n\n\n---\n\nCategory: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.\n\n\nCampaign: 2025-07-db-indicator\n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote malicious script.\n","modified":"2026-03-19T12:55:54.064701Z","published":"2025-07-11T10:01:11Z","database_specific":{"malicious-packages-origins":[{"id":"RLMA-2025-03655","import_time":"2025-08-01T10:07:12.951633757Z","sha256":"00738b29b8eee02047ce9ebce33b9ca4d6904f85763bd51cb5a13b2485ac1e49","source":"reversing-labs","modified_time":"2025-07-31T19:15:53Z","versions":["0.1.2"]},{"id":"pypi/2025-07-db-indicator/node-db-indicator","import_time":"2025-12-02T22:30:56.25218379Z","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"sha256":"38e66e7a73e04a99ca6362fff3930ec88b514cb1a9e1af86ba64cfbd1973f2d0","source":"kam193","modified_time":"2025-07-11T10:01:11.707048Z"},{"id":"pypi/2025-07-db-indicator/node-db-indicator","import_time":"2025-12-02T23:07:19.436994794Z","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"sha256":"7c9a18fe9ea04133e7de33313046092ffb5e8ccef6c1bf5f44e9b6d5e3835aa2","source":"kam193","modified_time":"2025-07-11T10:01:11.707048Z"},{"id":"pypi/2025-07-db-indicator/node-db-indicator","import_time":"2025-12-10T21:38:58.554050467Z","sha256":"d1391b2c1038576602b77ea99f80117f9025d8575bacf1cc93f7a7463ed44c42","source":"kam193","modified_time":"2025-07-11T10:01:11.707048Z","versions":["0.1.2"]},{"id":"RLUA-2026-00559","import_time":"2026-03-19T12:20:08.700600026Z","sha256":"ddf0e4fd1e3a693d12e61c2f814a90812348fc8c4297632800ba1dcfd8996e19","source":"reversing-labs","modified_time":"2026-03-18T12:16:31Z"}],"iocs":{"urls":["https://api.etherjs.pro/socket"],"domains":["etherjs.pro"]}},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/node-db-indicator"}],"affected":[{"package":{"name":"node-db-indicator","ecosystem":"PyPI","purl":"pkg:pypi/node-db-indicator"},"versions":["0.1.2"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/node-db-indicator/MAL-2025-6558.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}