{"id":"MAL-2026-625","summary":"Malicious code in hangimani (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (4eb1b67eac28a42f372ecaaca274a28d15972e3cc8e063492f977364538e6c41)\nDuring importing the module, package downloads a second-stage code from GitHub, which then runs an infostealer. After that, the downloaded code is removed\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-02-old-hangman\n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote malicious script.\n\n\n - infostealer\n\n\n - covering-tracks\n","modified":"2026-02-23T02:54:42.579363Z","published":"2026-02-02T00:02:05Z","database_specific":{"malicious-packages-origins":[{"versions":["1.0.0"],"modified_time":"2026-02-02T00:02:05.729063Z","import_time":"2026-02-02T00:34:49.33936935Z","source":"kam193","sha256":"4eb1b67eac28a42f372ecaaca274a28d15972e3cc8e063492f977364538e6c41","id":"pypi/2026-02-old-hangman/hangimani"},{"versions":["1.0.0"],"modified_time":"2026-02-02T00:02:05.729063Z","import_time":"2026-02-04T17:48:33.701198809Z","source":"kam193","sha256":"d0bfb239431bc716583843c5ca362ba4df71ff1beaed771ec95e3dcad22753a2","id":"pypi/2026-02-old-hangman/hangimani"}],"iocs":{"urls":["https://codeload.github.com/Samantha0709/HangMan","https://pastebin.com/raw/61NdZQax"]}},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/hangimani"},{"type":"WEB","url":"https://github.com/Samantha0709/HangMan/blob/36397c0a3e5abffa884ca92515981b4af305c9c7/src/HangMan.py#L17"},{"type":"WEB","url":"https://raw.githubusercontent.com/Samantha0709/Hang/main/browser.py"}],"affected":[{"package":{"name":"hangimani","ecosystem":"PyPI","purl":"pkg:pypi/hangimani"},"versions":["1.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/hangimani/MAL-2026-625.json"}}],"schema_version":"1.7.3","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}