{"id":"MAL-2025-991","summary":"Malicious code in sysfunc (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (9dc5d09b08f080ad350524a6620877c69339aac5885f4ddb2cbaec68bfa2d3ee)\nImporting the module starts downloading and executing an Infostealer targeting browsers' and Discord data\n\nIn first packages, there was a hidden line triggering downloading and running an infostealer\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2024-12-syscontrol\n\n\nReasons (based on the campaign):\n\n\n - infostealer\n\n\n - obfuscation\n\n\n - action-hidden-in-lib-usage\n\n\n - infostealer:kiwi\n\n\n - exfiltration-browser-data\n\n\n - exfiltration-crypto\n","modified":"2026-03-19T12:57:06.779879Z","published":"2024-12-26T12:24:34Z","database_specific":{"iocs":{"ips":["45.142.115.225"],"urls":["http://45.142.115.225:8000/grab/DaTDTcxiSvq9OA6r","http://45.142.115.225:8000/inject/DaTDTcxiSvq9OA6r","http://45.142.115.225:8000/grab/DaTDTcxiSvq9OA6r","http://45.142.115.225:8000/repeter/DaTDTcxiSvq9OA6r","https://cdn.discordapp.com/attachments/1086668425797058691/1113770559688413245/app.asar","https://cdn.discordapp.com/attachments/1135684724585681039/1143224080603037827/app.asar"]},"malicious-packages-origins":[{"sha256":"76180ff45802342233033d7378ec3f78369fadcb0a9c7be414793436dfcad03a","import_time":"2025-02-03T18:38:09.753882742Z","modified_time":"2025-02-03T17:07:58Z","versions":["0.1","0.2","0.3","0.4","0.5","0.6","0.7","0.8"],"source":"reversing-labs","id":"RLMA-2025-00532"},{"sha256":"0b3ce812db39763e0854d9b75e80eeadffed06c2875005db939a6d8023d13c4b","import_time":"2025-12-02T22:30:55.62270865Z","modified_time":"2024-12-26T12:24:34Z","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"source":"kam193","id":"pypi/2024-12-syscontrol/sysfunc"},{"sha256":"9dc5d09b08f080ad350524a6620877c69339aac5885f4ddb2cbaec68bfa2d3ee","import_time":"2025-12-02T23:07:18.663753678Z","modified_time":"2024-12-26T12:24:34Z","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"source":"kam193","id":"pypi/2024-12-syscontrol/sysfunc"},{"sha256":"bb6fcf947f0867019b1af6de16cb5676e83ed4e041fdc241285a847337cb5cdd","import_time":"2025-12-10T21:38:57.851746847Z","modified_time":"2024-12-26T12:24:34Z","versions":["0.1","0.2","0.3","0.6","0.4","0.5","0.7","0.8"],"source":"kam193","id":"pypi/2024-12-syscontrol/sysfunc"},{"sha256":"16caf81a573979aa05c7143b44582d76dcb09b7dfedff3a5c18adc998a934f15","import_time":"2025-12-30T22:39:04.19117514Z","modified_time":"2024-12-26T12:24:34Z","versions":["0.1","0.2","0.3","0.4","0.5","0.6","0.7","0.8"],"source":"kam193","id":"pypi/2024-12-syscontrol/sysfunc"},{"sha256":"d2d45ac5313e4cc4d9771cd83bc6ae00a4501f39f4b3c7337e218c83dbd3e81c","import_time":"2026-03-19T12:20:31.423351628Z","modified_time":"2026-03-18T12:19:13Z","source":"reversing-labs","id":"RLUA-2026-00796"}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/sysfunc"}],"affected":[{"package":{"name":"sysfunc","ecosystem":"PyPI","purl":"pkg:pypi/sysfunc"},"versions":["0.1","0.2","0.3","0.4","0.5","0.6","0.7","0.8"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/sysfunc/MAL-2025-991.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}