{"id":"MAL-2026-128","summary":"Malicious code in lnatainstaller (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (a613dbd371593bf6bcb7ae528a4d7d7dba2fedfc6670c8cb493bb5cbee18f734)\nPackage is designed to download and execute a remote script, which then downloads and runs a malicious executable\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-12-pdatainstaller\n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote malicious script.\n\n\n - malware\n\n\n - Downloads and executes a remote executable.\n","modified":"2026-01-19T07:29:21.249947Z","published":"2026-01-07T19:46:19Z","database_specific":{"malicious-packages-origins":[{"sha256":"a613dbd371593bf6bcb7ae528a4d7d7dba2fedfc6670c8cb493bb5cbee18f734","import_time":"2026-01-07T20:40:53.377048426Z","versions":["1.0.0"],"source":"kam193","id":"pypi/2025-12-pdatainstaller/lnatainstaller","modified_time":"2026-01-07T19:46:19.565851Z"},{"sha256":"c3822afcab6a1539e1e4fe60243150c1844db475f93311255d63b90c9c8227df","import_time":"2026-01-14T21:39:18.45087869Z","versions":["1.0.0"],"source":"kam193","id":"pypi/2025-12-pdatainstaller/lnatainstaller","modified_time":"2026-01-07T19:46:19.565851Z"},{"sha256":"ae050d9062f7f90317c47faea3b14f97ed56d7f427bb69e884f576714abf5e37","import_time":"2026-01-19T07:14:29.761135598Z","versions":["1.0.0"],"source":"kam193","id":"pypi/2025-12-pdatainstaller/lnatainstaller","modified_time":"2026-01-07T19:46:19.565851Z"}],"iocs":{"urls":["https://pastebin.com/raw/s5WB7EtG","https://pastebin.com/raw/c3uYVYbT","https://github.com/uunnkknnoowwnn/dang/raw/refs/heads/main/svchost.exe","https://github.com/yoseffalrg-droid/Reall/raw/refs/heads/main/svchost.exe"]}},"references":[{"type":"WEB","url":"https://www.virustotal.com/gui/file-analysis/NzcxYTcyZDQxMzc0ZDUwNTk4MDY4OTE3Y2U3MzdhNDY6MTc2NzQwMTQwOQ=="},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/lnatainstaller"}],"affected":[{"package":{"name":"lnatainstaller","ecosystem":"PyPI","purl":"pkg:pypi/lnatainstaller"},"versions":["1.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/lnatainstaller/MAL-2026-128.json"}}],"schema_version":"1.7.3","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}