{"id":"MAL-2025-6565","summary":"Malicious code in pipmodule83 (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (95b01ea01a7fd1ff5e52491e6b143aa98f45a6f331814222fe38e76ad3ac0863)\nIf run as a module, the package downloads and executes a remote script. At the time of check, the remote script was just opening a popup; thus it's not classified as clearly malicious.\n\nThrough the package description related to \"cirhenly\" package, which was uploaded by \"0x92nw\" - see campaign 2025-07-0x92nw\n\n\n---\n\nCategory: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.\n\n\nCampaign: 2025-07-pipmodule83\n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote malicious script.\n","modified":"2026-03-19T12:55:22.624420Z","published":"2025-07-05T11:05:55Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.2"],"modified_time":"2025-07-31T19:16:02Z","sha256":"a3ef16c222720f6936569e3cb54d57c916954c86ec5f95495414c25af1041c40","id":"RLMA-2025-03662","source":"reversing-labs","import_time":"2025-08-01T10:07:13.173040067Z"},{"modified_time":"2025-07-05T11:05:55Z","sha256":"7856b4f75afa0125606616ed3bf99110de22c8f90bad7ce4595cd05b241c47fb","id":"pypi/2025-07-pipmodule83/pipmodule83","source":"kam193","import_time":"2025-12-02T22:30:56.298120554Z","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}]},{"modified_time":"2025-07-05T11:05:55Z","sha256":"95b01ea01a7fd1ff5e52491e6b143aa98f45a6f331814222fe38e76ad3ac0863","id":"pypi/2025-07-pipmodule83/pipmodule83","source":"kam193","import_time":"2025-12-02T23:07:19.486186676Z","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}]},{"versions":["1.0.2"],"modified_time":"2025-07-05T11:05:55Z","sha256":"618aeb590e02926a184d2a0f61c2e3ce42d681a1b7c15a0438092ffb27759a41","id":"pypi/2025-07-pipmodule83/pipmodule83","source":"kam193","import_time":"2025-12-10T21:38:58.601570232Z"},{"modified_time":"2026-03-18T12:16:57Z","sha256":"14044cfef2d72e831a96ef47086bab2cf9644d221de1c1447797e5b35b8de453","id":"RLUA-2026-00594","source":"reversing-labs","import_time":"2026-03-19T12:20:12.374903245Z"}],"iocs":{"urls":["https://jjjy-9mb.pages.dev/j.vbs"],"domains":["jjjy-9mb.pages.dev"]}},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/pipmodule83"}],"affected":[{"package":{"name":"pipmodule83","ecosystem":"PyPI","purl":"pkg:pypi/pipmodule83"},"versions":["1.0.2"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/pipmodule83/MAL-2025-6565.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}