{"id":"MAL-2026-3425","summary":"Malicious code in xxoo-bale (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (74ce2be8301ccea70138e307282fbf70ede26eede2a531296145f7d0da695b80)\nThe package contains code to install remotely stored malware and ensure its persistence. The code is not triggered automatically; it requires a separate trigger.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-07-cas-base\n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote executable.\n\n\n - malware\n\n\n - persistence\n","modified":"2026-05-11T11:01:46.130533Z","published":"2026-05-11T10:18:51Z","database_specific":{"iocs":{"urls":["https://pub-b63e77578ffe42519de7d1771935f8b0.r2.dev/Kaylew.zip","https://pub-b63e77578ffe42519de7d1771935f8b0.r2.dev/Ddrat.zip","https://pub-b63e77578ffe42519de7d1771935f8b0.r2.dev/Edge.zip"],"domains":["pub-b63e77578ffe42519de7d1771935f8b0.r2.dev"]},"malicious-packages-origins":[{"modified_time":"2026-05-11T10:18:51.094089Z","id":"pypi/2025-07-cas-base/xxoo-bale","import_time":"2026-05-11T10:43:41.411007792Z","sha256":"74ce2be8301ccea70138e307282fbf70ede26eede2a531296145f7d0da695b80","source":"kam193","versions":["1.0.0"]}]},"references":[{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/94b4fd98f0f168d999753bed16817ba15b0f17e7373819e3c383feac9dac58c1/detection"},{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/20377b8ee72f1371ed41228f47d4bce20b1b3c89b8465626fb78bc3f18ea935e/detection"},{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/0338390d7b545f2695622df543b67b9a87131416b71dfb368a874a335a55238f/detection"},{"type":"WEB","url":"https://github.com/kamakshyatest4/python-malware/blob/45f86d614fd5c8c01d844a458d56c292c7c060c2/requirements.txt#L1"},{"type":"EVIDENCE","url":"https://tria.ge/250712-jwamlsyxat"},{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/cd4e27e9d32c1ef71a49c3c7695be591cb3400763b22471347c4af1db366685e"},{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/40b64916c5a38fde2b9939c674a2eaefd39df6216014e35a86b596746d34e2e9"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/xxoo-bale"}],"affected":[{"package":{"name":"xxoo-bale","ecosystem":"PyPI","purl":"pkg:pypi/xxoo-bale"},"versions":["1.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/xxoo-bale/MAL-2026-3425.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}