{"id":"MAL-2025-6621","summary":"Malicious code in web3toolkit-base (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (bdfcb6d5feffbd89fd13ed27d03b0bf7c14970f09ceeb202f8b36703fec6e907)\nCode monitors the clipboard and when detects a cryptocurrency wallet, attempts to overwrite it with the own address.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-07-web3toolkit-base\n\n\nReasons (based on the campaign):\n\n\n - crypto-related\n\n\n - clipboard-modify\n\n\n - obfuscation\n","modified":"2026-03-19T12:58:26.622118Z","published":"2025-07-10T19:41:11Z","database_specific":{"malicious-packages-origins":[{"id":"RLMA-2025-03720","modified_time":"2025-07-31T19:17:04Z","versions":["0.1.0","1.0.0","1.1.0","1.1.1"],"source":"reversing-labs","import_time":"2025-08-01T10:07:14.924736289Z","sha256":"821b0d5d2772a8e8bf815da34513f9219288f0246595dd00fc89e5dddb4453c0"},{"id":"pypi/2025-07-web3toolkit-base/web3toolkit-base","modified_time":"2025-07-10T19:41:11.165969Z","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"source":"kam193","import_time":"2025-12-02T22:30:55.756733081Z","sha256":"567a2e95cfb6043aac08875d2601cd64d7e333423656df84c83ee4b7e984d5e6"},{"id":"pypi/2025-07-web3toolkit-base/web3toolkit-base","modified_time":"2025-07-10T19:41:11.165969Z","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"source":"kam193","import_time":"2025-12-02T23:07:18.798928077Z","sha256":"bdfcb6d5feffbd89fd13ed27d03b0bf7c14970f09ceeb202f8b36703fec6e907"},{"id":"pypi/2025-07-web3toolkit-base/web3toolkit-base","modified_time":"2025-07-10T19:41:11.165969Z","versions":["0.1.0","1.1.1","1.0.0","1.1.0"],"source":"kam193","import_time":"2025-12-10T21:38:57.965390469Z","sha256":"1cb19dc5f1a53e7b4e86d20dbca33ac056db80a52b9bffda5b5661b25786c6a9"},{"id":"pypi/2025-07-web3toolkit-base/web3toolkit-base","modified_time":"2025-07-10T19:41:11.165969Z","versions":["0.1.0","1.0.0","1.1.0","1.1.1"],"source":"kam193","import_time":"2025-12-30T22:39:04.209348569Z","sha256":"58b7fad5df543bcbba1ba28f9e9a92f65a8a7c4118a2d6d04f87e341b637990e"},{"id":"RLUA-2026-00921","modified_time":"2026-03-18T12:20:31Z","source":"reversing-labs","import_time":"2026-03-19T12:20:43.743334573Z","sha256":"c8161916eb922eca04eec0566b8f99ea3d3d41bfe6bf1a55080427a585384f63"}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/web3toolkit-base"}],"affected":[{"package":{"name":"web3toolkit-base","ecosystem":"PyPI","purl":"pkg:pypi/web3toolkit-base"},"versions":["0.1.0","1.0.0","1.1.0","1.1.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/web3toolkit-base/MAL-2025-6621.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"ANALYST"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}