{"id":"MAL-2026-1498","summary":"Malicious code in telegramdatas (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (742799f83f7140514aa9a55c3f3efb5142ab1eaef68317a40e23a8f261e22b71)\nDuring import, an infostealer embedded as package resource is started.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-03-flowfix\n\n\nReasons (based on the campaign):\n\n\n - obfuscation\n\n\n - infostealer\n\n\n - Downloads and executes a remote executable.\n","modified":"2026-03-17T17:01:32.539339Z","published":"2026-03-17T16:16:37Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-03-17T16:55:41.524702565Z","modified_time":"2026-03-17T16:16:37.669136Z","id":"pypi/2026-03-flowfix/telegramdatas","versions":["0.1.0"],"sha256":"742799f83f7140514aa9a55c3f3efb5142ab1eaef68317a40e23a8f261e22b71","source":"kam193"}],"iocs":{"urls":["https://lustodyssey.com/lustodysseysetup2.1.1.exe"],"domains":["lustodyssey.com"]}},"references":[{"type":"EVIDENCE","url":"https://app.any.run/tasks/da14db45-34c9-465f-80e5-394d433cd21d"},{"type":"EVIDENCE","url":"https://app.any.run/tasks/3a6f9054-be6c-4b33-bcf7-d7504e1f4d52"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/telegramdatas"}],"affected":[{"package":{"name":"telegramdatas","ecosystem":"PyPI","purl":"pkg:pypi/telegramdatas"},"versions":["0.1.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/telegramdatas/MAL-2026-1498.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}