{"id":"MAL-2026-1222","summary":"Malicious code in optimal-spark-config (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (a1c1bf78d6e3b593fd29329b4175a48c645abf4b4b63e93db68f25221329d14c)\nDuring installation, the package starts obfuscated code that attempts to exfiltrate some basic information using DNS requests and then likely cover tracks by installing a similarly named package from private repository\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-02-urllib-slim\n\n\nReasons (based on the campaign):\n\n\n - typosquatting\n\n\n - Downloads and executes a remote executable.\n\n\n - obfuscation\n\n\n - dependency-confusion\n","modified":"2026-03-23T20:32:08.245534Z","published":"2026-03-03T18:02:59Z","database_specific":{"malicious-packages-origins":[{"versions":["14.0.0","14.0.1","14.0.2"],"source":"kam193","modified_time":"2026-03-03T18:02:59.459666Z","id":"pypi/2026-02-urllib-slim/optimal-spark-config","import_time":"2026-03-03T18:20:16.081533863Z","sha256":"a1c1bf78d6e3b593fd29329b4175a48c645abf4b4b63e93db68f25221329d14c"},{"versions":["14.0.0","14.0.1","14.0.2"],"source":"kam193","modified_time":"2026-03-03T18:02:59.459666Z","id":"pypi/2026-02-urllib-slim/optimal-spark-config","import_time":"2026-03-03T19:20:04.712977567Z","sha256":"8875cb0d0b4757cf1cdaed6b5311cf6b8c841dc2065f824a430a0d0debfaaf22"},{"versions":["14.0.0","14.0.1","14.0.2","14.0.3"],"source":"kam193","modified_time":"2026-03-03T19:02:20.555499Z","id":"pypi/2026-02-urllib-slim/optimal-spark-config","import_time":"2026-03-03T20:12:03.921268287Z","sha256":"06464a6f0ed327a7db87798c5134f72c4e43b71eda981f62e8d0549cd13c9eaa"},{"versions":["14.0.0","14.0.1","14.0.2","14.0.3"],"source":"kam193","modified_time":"2026-03-03T19:02:20.555499Z","id":"pypi/2026-02-urllib-slim/optimal-spark-config","import_time":"2026-03-23T20:16:57.848475002Z","sha256":"fb399f8b1478c484f6f15ea4541ed99000468a1e737487d4680e1bb43f7d3860"}],"iocs":{"urls":["https://storage.googleapis.com/py-pi/python_mac","https://storage.googleapis.com/py-pi/python_rhel","https://storage.googleapis.com/py-pi/python_win"],"domains":["1r.vc","i.1r.vc"]}},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/optimal-spark-config"},{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/d6029cce705b3842042106efb737c8b14eb736fdbfb8d0d03c3dfbc8d6c207a5?nocache=1"},{"type":"WEB","url":"https://github.com/loudpage5125"},{"type":"WEB","url":"https://github.com/geekennedy/"},{"type":"WEB","url":"https://github.com/GCLNS"}],"affected":[{"package":{"name":"optimal-spark-config","ecosystem":"PyPI","purl":"pkg:pypi/optimal-spark-config"},"versions":["14.0.0","14.0.1","14.0.2","14.0.3"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/optimal-spark-config/MAL-2026-1222.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}