{"id":"MAL-2026-3133","summary":"Malicious code in fetchapi-syncdata-pypi (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (d0dcf5bd5c71d077b3763c74d57d68d5517a2b5c5229fdd5bd6f7369cb2a0f49)\nThe package contains code to download and start a malicious executable. It's masqueraded using name similar to Windows services. In analyzed versions, the code was not automatically started, suggesting it's just a part of a campaign.  Based on the dynamic analysis, the executable is likely an infostealer.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-04-fetch-data-api-syncapi\n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote executable.\n\n\n - malware\n","modified":"2026-04-28T20:30:55.858380Z","published":"2026-04-28T18:46:19Z","database_specific":{"iocs":{"domains":["botconfig4.nurmohammadrafi9966.workers.dev","webhook-relay.nurmohammadrafi9966.workers.dev"],"urls":["https://www.dropbox.com/scl/fi/g9n5elasjy54dl2kwfntg/MonitorClient.exe?rlkey=wync0ieqrytdi12bugsw6hzu7&st=tf3r09pi&dl=1"]},"malicious-packages-origins":[{"versions":["0.1.0"],"source":"kam193","sha256":"d0dcf5bd5c71d077b3763c74d57d68d5517a2b5c5229fdd5bd6f7369cb2a0f49","modified_time":"2026-04-28T18:46:19.734363Z","id":"pypi/2026-04-fetch-data-api-syncapi/fetchapi-syncdata-pypi","import_time":"2026-04-28T20:03:03.349444002Z"}]},"references":[{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/7f6bb9cb5118cde0e476e4a41e6bd31027b2cc3b678112e25da3c68e2421a8a6/detection"},{"type":"WEB","url":"https://www.virustotal.com/gui/file-analysis/NmFjNTE4MGI3NjRhM2Y3YTZlMzM2ZmFhN2ZmY2E4ZWE6MTc3NzQwMTUxMA=="},{"type":"EVIDENCE","url":"https://app.any.run/tasks/58f6c7bd-daf7-4b02-ace3-a113a62f0c4f"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/fetchapi-syncdata-pypi"}],"affected":[{"package":{"name":"fetchapi-syncdata-pypi","ecosystem":"PyPI","purl":"pkg:pypi/fetchapi-syncdata-pypi"},"versions":["0.1.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/fetchapi-syncdata-pypi/MAL-2026-3133.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}