mal-2025-4526
Vulnerability from ossf_malicious_packages
Published
2025-05-27 14:52
Modified
2025-12-11 09:27
Summary
Malicious code in caixaequ2ahzoop (PyPI)
Details
-= Per source details. Do not edit below this line.=-
Source: kam193 (da1d699d5d12de135ae0da4180622e30084a77fd76ee5cd36fe5667ce14c4bbe)
Obfuscated code gets a command from the remote target and executes it. At the time of the test, it was just "whoami". Thus, it's rather just an experiment
Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.
Campaign: 2025-05-caixaequ2ahzoop
Reasons (based on the campaign):
-
obfuscation
-
The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.
Source: ossf-package-analysis (82f9967b944983f117b085820df45222a6d7e6cfd130081af546f52071f9e21d)
The OpenSSF Package Analysis project identified 'caixaequ2ahzoop' @ 2.0.0 (pypi) as malicious.
It is considered malicious because:
- The package executes one or more commands associated with malicious behavior.
Credits
OpenSSF: Package Analysis
github.com/ossf/package-analysis
openssf.slack.com/channels/package_analysis
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "caixaequ2ahzoop"
},
"versions": [
"2.0.0",
"2.0.1"
]
}
],
"credits": [
{
"contact": [
"https://github.com/kam193",
"https://bad-packages.kam193.eu/"
],
"name": "Kamil Ma\u0144kowski (kam193)"
},
{
"contact": [
"https://github.com/kam193",
"https://bad-packages.kam193.eu/"
],
"name": "Kamil Ma\u0144kowski (kam193)",
"type": "REPORTER"
},
{
"contact": [
"https://github.com/ossf/package-analysis",
"https://openssf.slack.com/channels/package_analysis"
],
"name": "OpenSSF: Package Analysis",
"type": "FINDER"
}
],
"database_specific": {
"iocs": {
"domains": [
"d3gnpasobcdyif.cloudfront.net"
]
},
"malicious-packages-origins": [
{
"import_time": "2025-05-28T02:35:47.412678282Z",
"modified_time": "2025-05-27T14:52:36Z",
"sha256": "82f9967b944983f117b085820df45222a6d7e6cfd130081af546f52071f9e21d",
"source": "ossf-package-analysis",
"versions": [
"2.0.0"
]
},
{
"import_time": "2025-05-28T02:35:47.502811603Z",
"modified_time": "2025-05-27T15:06:15Z",
"sha256": "d1dea941c248c1d64b68f80e89ff01f645683d7b5d8ec260709e4f43191fb222",
"source": "ossf-package-analysis",
"versions": [
"2.0.1"
]
},
{
"id": "pypi/2025-05-caixaequ2ahzoop/caixaequ2ahzoop",
"import_time": "2025-12-02T22:30:55.928509781Z",
"modified_time": "2025-05-28T01:52:43Z",
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"sha256": "9545f83711d0d85c5530e296ec6ef300f8785f643cdc77efc3ca7c7e2a486002",
"source": "kam193"
},
{
"id": "pypi/2025-05-caixaequ2ahzoop/caixaequ2ahzoop",
"import_time": "2025-12-02T23:07:19.11853038Z",
"modified_time": "2025-05-28T01:52:43Z",
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"sha256": "da1d699d5d12de135ae0da4180622e30084a77fd76ee5cd36fe5667ce14c4bbe",
"source": "kam193"
},
{
"id": "pypi/2025-05-caixaequ2ahzoop/caixaequ2ahzoop",
"import_time": "2025-12-10T21:38:58.252250813Z",
"modified_time": "2025-05-28T01:52:43Z",
"sha256": "8bc44605b08b6de7f77947a3a750f4b38145f3f1e6bd9075d1cd269489d4f9c4",
"source": "kam193",
"versions": [
"2.0.0",
"2.0.1"
]
}
]
},
"details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (da1d699d5d12de135ae0da4180622e30084a77fd76ee5cd36fe5667ce14c4bbe)\nObfuscated code gets a command from the remote target and executes it. At the time of the test, it was just \"whoami\". Thus, it\u0027s rather just an experiment\n\n\n---\n\nCategory: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research \u0026 co, with clearly low-harm possibilities.\n\n\nCampaign: 2025-05-caixaequ2ahzoop\n\n\nReasons (based on the campaign):\n\n\n - obfuscation\n\n\n - The package contains code to execute remote commands (probably limited to a specific set) on the victim\u0027s machine.\n\n## Source: ossf-package-analysis (82f9967b944983f117b085820df45222a6d7e6cfd130081af546f52071f9e21d)\nThe OpenSSF Package Analysis project identified \u0027caixaequ2ahzoop\u0027 @ 2.0.0 (pypi) as malicious.\n\nIt is considered malicious because:\n\n- The package executes one or more commands associated with malicious behavior.\n",
"id": "MAL-2025-4526",
"modified": "2025-12-11T09:27:52Z",
"published": "2025-05-27T14:52:36Z",
"references": [
{
"type": "WEB",
"url": "https://bad-packages.kam193.eu/pypi/package/caixaequ2ahzoop"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in caixaequ2ahzoop (PyPI)"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…