{"id":"MAL-2026-3127","summary":"Malicious code in coloreasyprint (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (d52af876a91a6ff5ff8144b705201fd465db94ad89f0e1b37bd22fe6ca0f5622)\nDuring import, the code downloads and executes encrypted payload from remote location. During analysis, remote code was prepared to download the next stage executable. This is likely selectively delivered to victims as the code polls the C2 server periodically with the local hostname and awaits the next stage to download.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-04-pathjoin\n\n\nReasons (based on the campaign):\n\n\n - obfuscation\n\n\n - Downloads and executes a remote malicious script.\n","modified":"2026-04-28T09:32:04.166889Z","published":"2026-04-28T08:25:33Z","database_specific":{"malicious-packages-origins":[{"id":"pypi/2026-04-pathjoin/coloreasyprint","source":"kam193","versions":["0.4.7.dev1","0.4.7.dev2","0.4.7.dev3"],"import_time":"2026-04-28T09:18:57.566762197Z","sha256":"d52af876a91a6ff5ff8144b705201fd465db94ad89f0e1b37bd22fe6ca0f5622","modified_time":"2026-04-28T08:25:33.987462Z"}],"iocs":{"urls":["https://gifpngstore.com/test/dataP.php"],"domains":["brainwavehub.org","gifpngstore.com"]}},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/coloreasyprint"}],"affected":[{"package":{"name":"coloreasyprint","ecosystem":"PyPI","purl":"pkg:pypi/coloreasyprint"},"versions":["0.4.7.dev1","0.4.7.dev2","0.4.7.dev3"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/coloreasyprint/MAL-2026-3127.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}