{"id":"MAL-2026-3428","summary":"Malicious code in xxx-bale (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (1109b5dc74c94551027044e54e20f9c1c18f89d53da6af87861ba4773eae1966)\nThe package contains code to install remotely stored malware and ensure its persistence. The code is not triggered automatically; it requires a separate trigger.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-07-cas-base\n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote executable.\n\n\n - malware\n\n\n - persistence\n","modified":"2026-05-11T17:18:06.056511Z","published":"2026-05-11T15:37:45Z","database_specific":{"malicious-packages-origins":[{"source":"kam193","id":"pypi/2025-07-cas-base/xxx-bale","import_time":"2026-05-11T16:58:55.645777809Z","modified_time":"2026-05-11T15:37:45.849409Z","sha256":"1109b5dc74c94551027044e54e20f9c1c18f89d53da6af87861ba4773eae1966","versions":["1.0.0"]}],"iocs":{"domains":["pub-b63e77578ffe42519de7d1771935f8b0.r2.dev"],"urls":["https://pub-b63e77578ffe42519de7d1771935f8b0.r2.dev/Kaylew.zip","https://pub-b63e77578ffe42519de7d1771935f8b0.r2.dev/Ddrat.zip","https://pub-b63e77578ffe42519de7d1771935f8b0.r2.dev/Edge.zip"]}},"references":[{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/94b4fd98f0f168d999753bed16817ba15b0f17e7373819e3c383feac9dac58c1/detection"},{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/20377b8ee72f1371ed41228f47d4bce20b1b3c89b8465626fb78bc3f18ea935e/detection"},{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/0338390d7b545f2695622df543b67b9a87131416b71dfb368a874a335a55238f/detection"},{"type":"WEB","url":"https://github.com/kamakshyatest4/python-malware/blob/45f86d614fd5c8c01d844a458d56c292c7c060c2/requirements.txt#L1"},{"type":"EVIDENCE","url":"https://tria.ge/250712-jwamlsyxat"},{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/cd4e27e9d32c1ef71a49c3c7695be591cb3400763b22471347c4af1db366685e"},{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/40b64916c5a38fde2b9939c674a2eaefd39df6216014e35a86b596746d34e2e9"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/xxx-bale"}],"affected":[{"package":{"name":"xxx-bale","ecosystem":"PyPI","purl":"pkg:pypi/xxx-bale"},"versions":["1.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/xxx-bale/MAL-2026-3428.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}