{"id":"MAL-2026-351","summary":"Malicious code in nanoinstaller (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (9f6ea4dd9867e528445ba01d2ceed3638e6178b2a940a2598c0f89eca5795802)\nPackage is designed to download and execute a remote script, which then downloads and runs a malicious executable\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-12-pdatainstaller\n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote executable.\n\n\n - Downloads and executes a remote malicious script.\n\n\n - malware\n","modified":"2026-01-19T08:04:01.595635Z","published":"2026-01-19T07:16:02Z","database_specific":{"malicious-packages-origins":[{"sha256":"9f6ea4dd9867e528445ba01d2ceed3638e6178b2a940a2598c0f89eca5795802","id":"pypi/2025-12-pdatainstaller/nanoinstaller","import_time":"2026-01-19T07:43:21.768734826Z","source":"kam193","versions":["1.0.0"],"modified_time":"2026-01-19T07:16:02.496642Z"}],"iocs":{"urls":["https://pastebin.com/raw/s5WB7EtG","https://pastebin.com/raw/c3uYVYbT","https://github.com/uunnkknnoowwnn/dang/raw/refs/heads/main/svchost.exe","https://github.com/yoseffalrg-droid/Reall/raw/refs/heads/main/svchost.exe","https://pastebin.com/raw/neRRCVv5","https://paste-bin.org/raw/ihw9gkkyx1","https://files.catbox.moe/5z57x9.txt"]}},"references":[{"type":"WEB","url":"https://www.virustotal.com/gui/file-analysis/NzcxYTcyZDQxMzc0ZDUwNTk4MDY4OTE3Y2U3MzdhNDY6MTc2NzQwMTQwOQ=="},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/nanoinstaller"}],"affected":[{"package":{"name":"nanoinstaller","ecosystem":"PyPI","purl":"pkg:pypi/nanoinstaller"},"versions":["1.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/nanoinstaller/MAL-2026-351.json"}}],"schema_version":"1.7.3","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}