{"id":"MAL-2026-6","summary":"Malicious code in ziphash (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (e9a36a54bad10e0f086740a84fd0a837dd4bf1cc9c3c0707648af4bb3855a03e)\nDuring initialization of the archive-support class, the package starts code from another file and downloads multi-stage malware\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-11-uzip\n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote executable.\n\n\n - obfuscation\n\n\n - malware\n","modified":"2026-02-26T10:05:40.145750Z","published":"2026-01-01T22:08:29Z","database_specific":{"iocs":{"ips":["77.105.161.164","87.120.107.132"],"urls":["http://77.105.161.164:3301/library","http://77.105.161.164:3301/die1","http://87.120.107.132:1488/df"]},"malicious-packages-origins":[{"id":"pypi/2025-11-uzip/ziphash","import_time":"2026-01-01T23:07:30.864548307Z","modified_time":"2026-01-01T22:08:29.251788Z","sha256":"e9a36a54bad10e0f086740a84fd0a837dd4bf1cc9c3c0707648af4bb3855a03e","source":"kam193","versions":["0.1.5"]},{"modified_time":"2026-01-02T19:55:15.640066Z","sha256":"de06ccd70fe8b69002b46d408c03d54b67573964d444478357e6a7226b418abf","source":"kam193","versions":["0.1.5","0.1.6"],"id":"pypi/2025-11-uzip/ziphash","import_time":"2026-01-02T20:39:13.21452589Z"},{"versions":["0.1.5","0.1.6"],"id":"pypi/2025-11-uzip/ziphash","import_time":"2026-02-26T09:49:02.356852249Z","modified_time":"2026-01-02T19:55:15.640066Z","sha256":"21f7874e4477f3097058af5714eb0bfa79c452d931fa4fd918faf11b1e10e5a8","source":"kam193"}]},"references":[{"type":"WEB","url":"https://www.virustotal.com/gui/file-analysis/MGEwNWE0MzhlMTU3NTUxZTU1OGI4NTRkYTA2MWMxM2M6MTc2MzgzMDEyNA=="},{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/8808a0a09c0180afe742f0265f8b42bf671bc2083dcecd47c1515f52554200d9/detection"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/ziphash"},{"type":"WEB","url":"https://www.getsafety.com/blog-posts/extrazip-malware-campaign"}],"affected":[{"package":{"name":"ziphash","ecosystem":"PyPI","purl":"pkg:pypi/ziphash"},"versions":["0.1.5","0.1.6"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/ziphash/MAL-2026-6.json"}}],"schema_version":"1.7.3","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"ANALYST"}]}