{"id":"MAL-2026-35","summary":"Malicious code in aiihttp (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (e98bbfaaccc91213e80bb0a09f5081a5701cf01629ac8b82370adbbbc42178b0)\nObfuscated code downloads an encrypted binary blob, which is malware finally starting cryptomining. After starting the malware, the Python package uninstall itself and installs the legitimate package, covering tracks of the infection.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-01-aiihttp\n\n\nReasons (based on the campaign):\n\n\n - typosquatting\n\n\n - Downloads and executes a remote executable.\n\n\n - malware\n\n\n - cryptominer\n\n\n - obfuscation\n\n\n - covering-tracks\n","modified":"2026-01-04T19:18:58.772492Z","published":"2026-01-04T18:50:00Z","database_specific":{"malicious-packages-origins":[{"versions":["3.13.3"],"source":"kam193","import_time":"2026-01-04T19:06:14.483017167Z","sha256":"e98bbfaaccc91213e80bb0a09f5081a5701cf01629ac8b82370adbbbc42178b0","modified_time":"2026-01-04T18:50:00.293144Z","id":"pypi/2026-01-aiihttp/aiihttp"}],"iocs":{"urls":["https://github.com/ffoundation7/mscur2/raw/refs/heads/main/data_3.bin","https://github.com/ffoundation7/mscur","https://github.com/ffoundation7/mscur2"]}},"references":[{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/68d0f3934245cba3741079b16cc93b98bf73101fdebf3dfc666d1eda22f997f1/behavior"},{"type":"EVIDENCE","url":"https://tria.ge/260104-xc563asncq/static1"},{"type":"EVIDENCE","url":"https://tria.ge/260104-w59jhswlgt/static1"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/aiihttp"}],"affected":[{"package":{"name":"aiihttp","ecosystem":"PyPI","purl":"pkg:pypi/aiihttp"},"versions":["3.13.3"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/aiihttp/MAL-2026-35.json"}}],"schema_version":"1.7.3","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}