{"id":"MAL-2025-927","summary":"Malicious code in foop (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (8dd063ab676114f4458052dd442285fb78dace9c91fd0b810c5c137cf3a4cb44)\nThe package looks like a beginning for a further work. In fact, the uploader has shortly published a few similar packages appearing to be e.g. an integration for a known application, but containing only a \"telemetry\" module exfiltrating basic info about the user. This package has no other purpose than collecting data about users. In addition, it appears to be largely generated by an LLM.\n\n\n---\n\nCategory: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.\n\n\nCampaign: 2024-12- sajansubedi\n\n\nReasons (based on the campaign):\n\n\n - The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.\n\n\n - dependency-confusion\n","modified":"2026-03-19T12:53:21.232016Z","published":"2024-12-01T16:23:40Z","database_specific":{"malicious-packages-origins":[{"id":"RLMA-2025-00466","source":"reversing-labs","import_time":"2025-02-03T18:38:06.30780938Z","modified_time":"2025-02-03T17:07:22Z","sha256":"e61a1273aa0ad7ea095ba7550f9892016019cd0181ea839b9bcaf8d8e3a8e26e","versions":["60.0.0"]},{"id":"pypi/2024-12- sajansubedi/foop","source":"kam193","import_time":"2025-12-02T22:30:56.048418773Z","modified_time":"2024-12-01T16:23:40Z","sha256":"3b7141c12540ac3522c0867324eca89b6b91deca141f9f5369b00482e30ae612","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}]},{"id":"pypi/2024-12- sajansubedi/foop","source":"kam193","import_time":"2025-12-02T23:07:19.240108247Z","modified_time":"2024-12-01T16:23:40Z","sha256":"8dd063ab676114f4458052dd442285fb78dace9c91fd0b810c5c137cf3a4cb44","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}]},{"id":"pypi/2024-12- sajansubedi/foop","source":"kam193","import_time":"2025-12-10T21:38:58.383441756Z","modified_time":"2024-12-01T16:23:40Z","sha256":"9ae4b442a3089450b91b5053bbd553625386e13c80ac60ae7ea7cd61e7f06973","versions":["60.0.0"]},{"id":"RLUA-2026-00331","source":"reversing-labs","import_time":"2026-03-19T12:19:46.291235816Z","modified_time":"2026-03-18T12:13:57Z","sha256":"5d04c0cb65cac6f36427a095d22b797b9d7ee2df03bd594ba67c8b901079aa44"}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/foop"}],"affected":[{"package":{"name":"foop","ecosystem":"PyPI","purl":"pkg:pypi/foop"},"versions":["60.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/foop/MAL-2025-927.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}