{"id":"MAL-2026-3243","summary":"Malicious code in puan3 (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (531ab02814e67f81e5c82fb57b72d59c3972d0975932f6e9d00ea680040e9a13)\nDuring import, package automatically starts a connection to a C2 server, exfiltrates information about the host and data like the browser's history and sensitive files, and then waits for remote commands to execute.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-05-puan3\n\n\nReasons (based on the campaign):\n\n\n - exfiltration-generic\n\n\n - exfiltration-browser-data\n\n\n - The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.\n\n\n - rat\n\n\n - exfiltration-credentials\n","modified":"2026-05-03T21:32:08.026066Z","published":"2026-05-03T12:16:07Z","database_specific":{"malicious-packages-origins":[{"sha256":"531ab02814e67f81e5c82fb57b72d59c3972d0975932f6e9d00ea680040e9a13","versions":["0.1.0","0.1.1"],"id":"pypi/2026-05-puan3/puan3","source":"kam193","modified_time":"2026-05-03T12:16:07.229837Z","import_time":"2026-05-03T12:50:01.134320007Z"},{"sha256":"d4704e51813049248eccf78133b3ccc8816cfebb30555fa2adf67e99534349d4","versions":["0.1.0","0.1.1"],"id":"pypi/2026-05-puan3/puan3","source":"kam193","modified_time":"2026-05-03T12:16:07.229837Z","import_time":"2026-05-03T21:19:17.74121945Z"}],"iocs":{"ips":["185.246.113.53"]}},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/puan3"}],"affected":[{"package":{"name":"puan3","ecosystem":"PyPI","purl":"pkg:pypi/puan3"},"versions":["0.1.0","0.1.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/puan3/MAL-2026-3243.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}