{"id":"MAL-2026-375","summary":"Malicious code in spellcheckerpy (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (79cc4c6495567fe7659e9e4bb5964727bf95cfc9f78d32209937d73457bd476b)\nPackages contain hidden code that is effectively run during importing or using the library, and downloads second stage code. Then, a process running in background periodically connects to a remote host and waits for the next code to execute.\n\nThe malicious code was in version 1.3.0, but the package itself was clearly uploaded with malclious intentions.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-11-spellcheckers\n\n\nReasons (based on the campaign):\n\n\n - obfuscation\n\n\n - Downloads and executes a remote malicious script.\n\n\n - The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.\n","modified":"2026-03-13T06:45:02.225785Z","published":"2026-01-20T19:06:25Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-01-20T19:06:25.794768Z","id":"pypi/2025-11-spellcheckers/spellcheckerpy","sha256":"2ffcd3e16661799d1a55e0d5e359ffd6fb883256310f280d6e0b88a5edb4e626","source":"kam193","import_time":"2026-01-20T19:29:07.146029539Z","versions":["1.0.0","1.1.0","1.3.0"]},{"modified_time":"2026-01-20T19:06:25.794768Z","id":"pypi/2025-11-spellcheckers/spellcheckerpy","sha256":"79cc4c6495567fe7659e9e4bb5964727bf95cfc9f78d32209937d73457bd476b","source":"kam193","import_time":"2026-01-20T19:58:56.109232579Z","versions":["1.0.0","1.1.0","1.3.0"]},{"modified_time":"2026-01-20T19:06:25.794768Z","id":"pypi/2025-11-spellcheckers/spellcheckerpy","sha256":"10bb96df7d43eff438bbe7a555c333f9e1d02f837ee3636dcbf9aa9e22175c48","source":"kam193","import_time":"2026-01-27T18:48:13.385350639Z","versions":["1.0.0","1.1.0","1.3.0"]},{"modified_time":"2026-01-20T19:06:25.794768Z","id":"pypi/2025-11-spellcheckers/spellcheckerpy","sha256":"14f2a6cb3c370817d9494648c7f7f19714f6b8985d936fe93d0d1685cd522fb2","source":"kam193","import_time":"2026-01-28T19:11:43.695337747Z","versions":["1.0.0","1.1.0","1.3.0"]},{"modified_time":"2026-01-20T19:06:25.794768Z","id":"pypi/2025-11-spellcheckers/spellcheckerpy","sha256":"0812165e8c72368e5a52652b3e4ebad7b61dd0bee3368dbd47b8728ca2eaeaad","source":"kam193","import_time":"2026-03-11T10:47:48.52324165Z","versions":["1.0.0","1.1.0","1.3.0"]}],"iocs":{"urls":["https://dothebest.store/allow/inform.php","https://dothebest.store/refresh.php","https://searchbox.info/prefer.php"],"domains":["dothebest.store","searchbox.info"]}},"references":[{"type":"WEB","url":"https://helixguard.ai/blog/malicious-spellcheckers-2025-11-19"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/spellcheckerpy"},{"type":"WEB","url":"https://www.aikido.dev/blog/malicious-pypi-packages-spellcheckpy-and-spellcheckerpy-deliver-python-rat"}],"affected":[{"package":{"name":"spellcheckerpy","ecosystem":"PyPI","purl":"pkg:pypi/spellcheckerpy"},"versions":["1.0.0","1.1.0","1.3.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/spellcheckerpy/MAL-2026-375.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"ANALYST"},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}