{"id":"MAL-2025-985","summary":"Malicious code in shoots-api-test (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (78ebd73df4ce754b9e3a33af932d2b686a05716f83ccf3d7dd99029e73713acc)\nImporting the module triggers sending out the hostname to the package author. It looks to be a placeholder/pentest activity related to BytedDance.\n\n\n---\n\nCategory: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.\n\n\nCampaign: 2024-11-0wn-sh\n\n\nReasons (based on the campaign):\n\n\n - The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.\n","modified":"2026-03-19T12:56:57.430211Z","published":"2024-11-29T13:03:21Z","database_specific":{"iocs":{"domains":["0wn.sh"]},"malicious-packages-origins":[{"sha256":"c6f726a8908bb26eba62e7754c7c2a2ee1e53fba84d69f4685dfdfd6f000ff7b","import_time":"2025-02-03T18:38:09.485935276Z","source":"reversing-labs","versions":["0.1.1"],"id":"RLMA-2025-00526","modified_time":"2025-02-03T17:07:54Z"},{"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"sha256":"551d827d33fac58c411ed4e0aed885a7261a71066180f007b5e7b9f4da216cad","import_time":"2025-12-02T22:30:56.402703363Z","source":"kam193","id":"pypi/2024-11-0wn-sh/shoots-api-test","modified_time":"2024-11-29T13:03:21Z"},{"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"sha256":"78ebd73df4ce754b9e3a33af932d2b686a05716f83ccf3d7dd99029e73713acc","import_time":"2025-12-02T23:07:19.588817039Z","source":"kam193","id":"pypi/2024-11-0wn-sh/shoots-api-test","modified_time":"2024-11-29T13:03:21Z"},{"sha256":"20c69f2dfbbce7fc464510c19fe6b8fa03a26b67437f9715aef0a9bd03240957","import_time":"2025-12-10T21:38:58.692620121Z","source":"kam193","versions":["0.1.1"],"id":"pypi/2024-11-0wn-sh/shoots-api-test","modified_time":"2024-11-29T13:03:21Z"},{"sha256":"386c0eb8d5539467776ebcc69f83f02a13da1243420c8c8763610d86949669eb","import_time":"2026-03-19T12:20:27.389087294Z","source":"reversing-labs","id":"RLUA-2026-00756","modified_time":"2026-03-18T12:18:47Z"}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/shoots-api-test"}],"affected":[{"package":{"name":"shoots-api-test","ecosystem":"PyPI","purl":"pkg:pypi/shoots-api-test"},"versions":["0.1.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/shoots-api-test/MAL-2025-985.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"ANALYST"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}