{"id":"MAL-2026-562","summary":"Malicious code in tabullates (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (499d47c3064299cb3d921b32ac9f22c2bab7b0b841b3de3a0cee3029625d5d26)\nPackages contain hidden code that is effectively run during importing or using the library, and downloads second stage code. Then, a process running in background periodically connects to a remote host and waits for next code to execute\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-11-spellcheckers\n\n\nReasons (based on the campaign):\n\n\n - obfuscation\n\n\n - Downloads and executes a remote malicious script.\n\n\n - The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.\n","modified":"2026-03-13T06:51:05.609426Z","published":"2026-01-28T07:42:32Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.1"],"modified_time":"2026-01-28T07:42:32.283211Z","source":"kam193","id":"pypi/2025-11-spellcheckers/tabullates","import_time":"2026-01-28T08:10:46.453455711Z","sha256":"499d47c3064299cb3d921b32ac9f22c2bab7b0b841b3de3a0cee3029625d5d26"},{"versions":["1.0.1","1.0.2"],"modified_time":"2026-01-28T09:03:09.192995Z","source":"kam193","id":"pypi/2025-11-spellcheckers/tabullates","import_time":"2026-01-28T09:46:09.164774837Z","sha256":"f5af0290d2ad9a879ef3624e8cca4bec9095fdb44db0282b226e13ea50ff92bd"},{"versions":["1.0.1","1.0.2","1.0.3"],"modified_time":"2026-01-28T11:09:45.671528Z","source":"kam193","id":"pypi/2025-11-spellcheckers/tabullates","import_time":"2026-01-28T11:39:32.809136179Z","sha256":"65716e7bcfa81eb62800794a53ce1f01c6593e89a016b3d30f7803e3107036c4"},{"versions":["1.0.1","1.0.2","1.0.3","1.0.4"],"modified_time":"2026-01-28T13:24:12.682678Z","source":"kam193","id":"pypi/2025-11-spellcheckers/tabullates","import_time":"2026-01-28T13:49:01.828657965Z","sha256":"6af1b6872fcae12cc1651e6981265f929ab2532437971cb983876a9ae6e01aaf"},{"versions":["1.0.1","1.0.2","1.0.3","1.0.4"],"modified_time":"2026-01-28T13:24:12.682678Z","source":"kam193","id":"pypi/2025-11-spellcheckers/tabullates","import_time":"2026-01-28T19:11:43.706788748Z","sha256":"8a340ee49ae80adf9f248ab7d565ff184ce2b93466a522ba91c321a9fe1c7a8f"},{"versions":["1.0.1","1.0.2","1.0.3","1.0.4"],"modified_time":"2026-01-28T13:24:12.682678Z","source":"kam193","id":"pypi/2025-11-spellcheckers/tabullates","import_time":"2026-03-11T10:47:48.538928009Z","sha256":"7fdbcc76dc779d82632d7bfa1643843861e17cb03839382640c68637b61627ff"}],"iocs":{"urls":["https://dothebest.store/allow/inform.php","https://dothebest.store/refresh.php","https://searchbox.info/prefer.php","https://updatenet.work/settings/history.php","https://dothebest.store/allow"],"domains":["dothebest.store","searchbox.info","updatenet.work"]}},"references":[{"type":"WEB","url":"https://helixguard.ai/blog/malicious-spellcheckers-2025-11-19"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/tabullates"},{"type":"WEB","url":"https://www.aikido.dev/blog/malicious-pypi-packages-spellcheckpy-and-spellcheckerpy-deliver-python-rat"}],"affected":[{"package":{"name":"tabullates","ecosystem":"PyPI","purl":"pkg:pypi/tabullates"},"versions":["1.0.1","1.0.2","1.0.3","1.0.4"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/tabullates/MAL-2026-562.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"ANALYST"}]}