mal-2025-47510
Vulnerability from ossf_malicious_packages
Published
2025-09-22 02:12
Modified
2025-12-03 00:04
Summary
Malicious code in vielcord (PyPI)
Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (4663c6d9af6fa1feac7fd1719e4ff1a729bc8297eec7ce927a13804d475d2c8b)

During the execution, the package silently download and runs a JAR not related to the package job. At the time of analysis, the content was corrupted

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-09-gtts-lts

Reasons (based on the campaign):

  • Downloads and executes a remote executable.

  • action-hidden-in-lib-usage

Source: oracle-using-macaron (f35b1416b7e82dbedf8d0f943973c7f2c4af1ebd85f2a69ebd582f6c4d58f60e)

This package is designed to typosquat veilcord. When imported, it automatically decodes and executes a hidden payload.

Credits
Kamil Mańkowski (kam193) github.com/kam193 bad-packages.kam193.eu/
Kamil Mańkowski (kam193) github.com/kam193 bad-packages.kam193.eu/
Oracle using Macaron github.com/oracle/macaron
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vielcord",
        "purl": "pkg:pypi/vielcord"
      },
      "versions": [
        "0.0.7.5"
      ]
    }
  ],
  "credits": [
    {
      "contact": [
        "https://github.com/kam193",
        "https://bad-packages.kam193.eu/"
      ],
      "name": "Kamil Ma\u0144kowski (kam193)"
    },
    {
      "contact": [
        "https://github.com/kam193",
        "https://bad-packages.kam193.eu/"
      ],
      "name": "Kamil Ma\u0144kowski (kam193)",
      "type": "ANALYST"
    },
    {
      "contact": [
        "https://github.com/oracle/macaron"
      ],
      "name": "Oracle using Macaron",
      "type": "FINDER"
    }
  ],
  "database_specific": {
    "iocs": {
      "urls": [
        "https://github.com/michalethernatg/symmetrical-octo-parakeet/raw/refs/heads/main/meow.bin",
        "https://github.com/michalethernatg/symmetrical-octo-parakeet/raw/refs/heads/main/shell.exe"
      ]
    },
    "malicious-packages-origins": [
      {
        "import_time": "2025-09-22T02:12:23Z",
        "modified_time": "2025-09-22T02:12:23Z",
        "sha256": "f35b1416b7e82dbedf8d0f943973c7f2c4af1ebd85f2a69ebd582f6c4d58f60e",
        "source": "oracle-using-macaron",
        "versions": [
          "0.0.7.5"
        ]
      },
      {
        "id": "pypi/2025-09-gtts-lts/vielcord",
        "import_time": "2025-12-02T22:30:55.71359786Z",
        "modified_time": "2025-09-24T18:43:02.726948Z",
        "sha256": "a2cdbade2ade551e1b920eddd48c3586f09155ed000f3fd38ad38094b167be06",
        "source": "kam193",
        "versions": [
          "0.0.7.5"
        ]
      },
      {
        "id": "pypi/2025-09-gtts-lts/vielcord",
        "import_time": "2025-12-02T23:07:18.753174914Z",
        "modified_time": "2025-09-24T18:43:02.726948Z",
        "sha256": "4663c6d9af6fa1feac7fd1719e4ff1a729bc8297eec7ce927a13804d475d2c8b",
        "source": "kam193",
        "versions": [
          "0.0.7.5"
        ]
      }
    ]
  },
  "details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (4663c6d9af6fa1feac7fd1719e4ff1a729bc8297eec7ce927a13804d475d2c8b)\nDuring the execution, the package silently download and runs a JAR not related to the package job. At the time of analysis, the content was corrupted\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-09-gtts-lts\n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote executable.\n\n\n - action-hidden-in-lib-usage\n\n## Source: oracle-using-macaron (f35b1416b7e82dbedf8d0f943973c7f2c4af1ebd85f2a69ebd582f6c4d58f60e)\nThis package is designed to typosquat veilcord. When imported, it automatically decodes and executes a hidden payload.\n",
  "id": "MAL-2025-47510",
  "modified": "2025-12-03T00:04:28Z",
  "published": "2025-09-22T02:12:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://bad-packages.kam193.eu/pypi/package/vielcord"
    }
  ],
  "schema_version": "1.7.4",
  "summary": "Malicious code in vielcord (PyPI)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.