mal-2025-3450
Vulnerability from ossf_malicious_packages
Published
2025-03-18 09:49
Modified
2025-12-31 02:45
Summary
Malicious code in logax (PyPI)
Details
-= Per source details. Do not edit below this line.=-
Source: kam193 (e129e6d6d38e21a039bd2190e3138f1381ad386e45a49521621a8b8ad61f7678)
The package is capable of installing malware from a hardcoded URL. The malware is well-recognized and acts as infostealer. Interestingly, it uses Steam profiles to get the current C2 domain (based on sandbox analysis).
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2025-03-logax
Reasons (based on the campaign):
-
infostealer
-
malware
Credits
ReversingLabs
www.reversinglabs.com
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "logax",
"purl": "pkg:pypi/logax"
},
"versions": [
"1",
"1.5",
"2.4",
"2.5",
"2.7",
"2.9",
"3.1",
"3.2",
"3.4",
"3.5",
"3.6",
"3.7",
"3.8",
"3.9",
"4",
"4.2",
"4.3",
"4.5",
"4.8",
"4.9",
"5",
"5.2",
"5.3",
"5.4",
"8.3",
"4.0",
"5.0"
]
}
],
"credits": [
{
"contact": [
"https://github.com/kam193",
"https://bad-packages.kam193.eu/"
],
"name": "Kamil Ma\u0144kowski (kam193)"
},
{
"contact": [
"https://github.com/kam193",
"https://bad-packages.kam193.eu/"
],
"name": "Kamil Ma\u0144kowski (kam193)",
"type": "REPORTER"
},
{
"contact": [
"https://www.reversinglabs.com"
],
"name": "ReversingLabs",
"type": "FINDER"
}
],
"database_specific": {
"iocs": {
"domains": [
"acerputas.90shipsnormal.site"
],
"urls": [
"https://anonfile.io/api/download/rzOy11HD",
"https://anonfile.io/api/download/iJbMXihN",
"https://store4.gofile.io/download/web/dcec487f-df79-4ec0-99d1-ac2cc299329a/Saucy.exe",
"https://steamcommunity.com/profiles/76561199830115115/",
"https://acerputas.90shipsnormal.site/api/log"
]
},
"malicious-packages-origins": [
{
"id": "RLMA-2025-02512",
"import_time": "2025-04-25T09:36:46.679042013Z",
"modified_time": "2025-04-23T16:06:27Z",
"sha256": "14dec44fd3afb9745d8838e0570fb0e0db4fd51f3a101e8b065ea53534286f6c",
"source": "reversing-labs",
"versions": [
"1",
"1.5",
"2.4",
"2.5",
"2.7",
"2.9",
"3.1",
"3.2",
"3.4",
"3.5",
"3.6",
"3.7",
"3.8",
"3.9",
"4",
"4.2",
"4.3",
"4.5",
"4.8",
"4.9",
"5",
"5.2",
"5.3",
"5.4",
"8.3"
]
},
{
"id": "pypi/2025-03-logax/logax",
"import_time": "2025-12-02T22:30:55.313127728Z",
"modified_time": "2025-03-18T09:49:12Z",
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"sha256": "2bbac92c2eb7e20fcf7b96dcd2a6e96353d9e5e0cbb7b9de97ec258645995264",
"source": "kam193"
},
{
"id": "pypi/2025-03-logax/logax",
"import_time": "2025-12-02T23:07:18.339785379Z",
"modified_time": "2025-03-18T09:49:12Z",
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"sha256": "e129e6d6d38e21a039bd2190e3138f1381ad386e45a49521621a8b8ad61f7678",
"source": "kam193"
},
{
"id": "pypi/2025-03-logax/logax",
"import_time": "2025-12-10T21:38:57.572528169Z",
"modified_time": "2025-03-18T09:49:12Z",
"sha256": "04e36d292d30c17c677e673242120722d25b56cc1e4c8f11766323e96bcbe2e5",
"source": "kam193",
"versions": [
"1",
"1.5",
"2.7",
"3.8",
"8.3",
"3.6",
"3.7",
"2.4",
"3.5",
"2.5",
"3.2",
"2.9",
"3.1",
"3.4",
"3.9",
"4.0",
"4.2",
"4.3",
"4.5",
"4.8",
"4.9",
"5.2",
"5.0",
"5.3",
"5.4"
]
},
{
"id": "pypi/2025-03-logax/logax",
"import_time": "2025-12-30T22:39:04.12239451Z",
"modified_time": "2025-03-18T09:49:12Z",
"sha256": "0828cc74cc0f7033c0bf58055fc419a5f1db7b5f7f5281e640ba0cd7c4cb416d",
"source": "kam193",
"versions": [
"1",
"1.5",
"2.4",
"2.5",
"2.7",
"2.9",
"3.1",
"3.2",
"3.4",
"3.5",
"3.6",
"3.7",
"3.8",
"3.9",
"4.0",
"4.2",
"4.3",
"4.5",
"4.8",
"4.9",
"5.0",
"5.2",
"5.3",
"5.4",
"8.3"
]
}
]
},
"details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (e129e6d6d38e21a039bd2190e3138f1381ad386e45a49521621a8b8ad61f7678)\nThe package is capable of installing malware from a hardcoded URL. The malware is well-recognized and acts as infostealer. Interestingly, it uses Steam profiles to get the current C2 domain (based on sandbox analysis).\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-03-logax\n\n\nReasons (based on the campaign):\n\n\n - infostealer\n\n\n - malware\n",
"id": "MAL-2025-3450",
"modified": "2025-12-31T02:45:15Z",
"published": "2025-03-18T09:49:12Z",
"references": [
{
"type": "EVIDENCE",
"url": "https://www.virustotal.com/gui/file/e4e480f35f9aad3b5c6410b701c7ef780b38b879cfa55e01ab3404ce02212f1a"
},
{
"type": "EVIDENCE",
"url": "https://tria.ge/250318-hmkksawvh1"
},
{
"type": "WEB",
"url": "https://bad-packages.kam193.eu/pypi/package/logax"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in logax (PyPI)"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…