{"id":"MAL-2026-2308","summary":"Malicious code in workingitme (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (77ec565b572be137d67ece8342d916cb970b501ee390e7250878e27277685fe9)\nDuring installation, if run under a specific username, the package downloads and installs two executables identified as backdoors trojans.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-03-thisismytest123\n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote executable.\n\n\n - backdoor\n\n\n - malware\n\n## Source: ossf-package-analysis (8a5cb5b3d373ac747dc62283de546c31953f97944a6a48c332bdfa40babcf38c)\nThe OpenSSF Package Analysis project identified 'workingitme' @ 1.0.0 (pypi) as malicious.\n\nIt is considered malicious because:\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-03-31T05:35:55.582027Z","published":"2026-03-31T03:40:48Z","database_specific":{"iocs":{"urls":["http://8.217.174.149:8888/supershell/compile/download/java","https://shim.oss-cn-hongkong.aliyuncs.com/shim","https://shim.oss-cn-hongkong.aliyuncs.com/shim.conf"]},"malicious-packages-origins":[{"source":"ossf-package-analysis","sha256":"8a5cb5b3d373ac747dc62283de546c31953f97944a6a48c332bdfa40babcf38c","modified_time":"2026-03-31T03:40:48Z","versions":["1.0.0"],"import_time":"2026-03-31T04:23:27.378614817Z"},{"source":"kam193","sha256":"77ec565b572be137d67ece8342d916cb970b501ee390e7250878e27277685fe9","id":"pypi/2026-03-thisismytest123/workingitme","modified_time":"2026-03-31T04:13:44.48306Z","versions":["1.0.0"],"import_time":"2026-03-31T05:17:28.537995849Z"}]},"references":[{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/d06d2288d3aa76675947137279e6db4d5a31d3ab3a46720d15df4c4d2d52b9d3/detection"},{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/28d6c2c26ed631981fc9575a452b45b8b741d172769d5d8366a4269536236ab3/detection"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/workingitme"}],"affected":[{"package":{"name":"workingitme","ecosystem":"PyPI","purl":"pkg:pypi/workingitme"},"versions":["1.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/workingitme/MAL-2026-2308.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}