{"id":"MAL-2026-5100","summary":"Malicious code in obfuscation (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (9a6d747918a89b433d6b670595d6b8d3049f49a69762c3e483d4f0f9dbeb81a3)\nDuring installation, the code tamper with security settings and downloads and executes malicious executable.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-05-cryptolock\n\n\nReasons (based on the campaign):\n\n\n - The package overrides the install command in setup.py to execute malicious code during installation.\n\n\n - Downloads and executes a remote executable.\n\n\n - malware\n","modified":"2026-05-31T14:45:53.084056244Z","published":"2026-05-31T13:13:56Z","database_specific":{"malicious-packages-origins":[{"sha256":"9a6d747918a89b433d6b670595d6b8d3049f49a69762c3e483d4f0f9dbeb81a3","id":"pypi/2026-05-cryptolock/obfuscation","import_time":"2026-05-31T14:36:54.229591627Z","source":"kam193","versions":["3.23.0","3.23.2","3.23.3"],"modified_time":"2026-05-31T13:13:57.039494Z"}],"iocs":{"urls":["https://github.com/seIfrighteous/x/releases/download/selfrighteous/setup.exe","https://tmpfiles.org/dl/wVwFfznUQdRr/main.exe","https://github.com/seIfrighteous/x/releases/download/selfrighteous/NisSrv.exe","https://github.com/seIfrighteous/x/releases/download/selfrighteous/MpClient.dll"]}},"references":[{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/0912542c6e3a6b747a5bb30de22c1b79ead35c5a9a6813dcd8a6056cc312b892/detection"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/obfuscation"}],"affected":[{"package":{"name":"obfuscation","ecosystem":"PyPI","purl":"pkg:pypi/obfuscation"},"versions":["3.23.0","3.23.2","3.23.3"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/obfuscation/MAL-2026-5100.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}