{"id":"MAL-2026-6960","summary":"Malicious code in pyqt6darktheme (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (8cd6d16792d681b160ae1e11b3f698d8fd3004cd6019704008ad1c649fbe6f67)\nPackage downloads and runs a remote executable, which was found to downloads further exes and starting coine mining\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-07-pyqt6darktheme\n\n\nReasons (based on the campaign):\n\n\n - cryptominer\n\n\n - Downloads and executes a remote executable.\n\n\n - malware\n\n\n - The package overrides the install command in setup.py to execute malicious code during installation.\n","modified":"2026-07-09T13:46:53.075918410Z","published":"2026-07-08T04:25:06Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-07-08T06:02:27.065761304Z","modified_time":"2026-07-08T04:25:06.972829Z","id":"pypi/2026-07-pyqt6darktheme/pyqt6darktheme","versions":["0.1.0"],"source":"kam193","sha256":"2bdc188e3830dcb855d495618a4f3de11307a230cfef8c8ca4ce93199f254ca7"},{"import_time":"2026-07-09T13:32:44.48675574Z","modified_time":"2026-07-08T04:25:06.972829Z","id":"pypi/2026-07-pyqt6darktheme/pyqt6darktheme","versions":["0.1.0"],"source":"kam193","sha256":"8cd6d16792d681b160ae1e11b3f698d8fd3004cd6019704008ad1c649fbe6f67"}],"iocs":{"urls":["http://florinn.dev:65534/ins.exe","http://florinn.dev:65534/kasgjiasjfiw.exe","http://florinn.dev:65534/kasgjiasjfim.exe"],"domains":["florinn.dev"]}},"references":[{"type":"EVIDENCE","url":"https://tria.ge/260708-eg92psat5t"},{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/93be0d295af944feef85c8694f88a50b660f106a5ed18300252a72d8b43b69de/detection"},{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/1f1963b8ccabbb9aaae9ce93b78d91f4f01faf0a21aed8e71b2adece16f8d5e6/detection"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/pyqt6darktheme"}],"affected":[{"package":{"name":"pyqt6darktheme","ecosystem":"PyPI","purl":"pkg:pypi/pyqt6darktheme"},"versions":["0.1.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/pyqt6darktheme/MAL-2026-6960.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}