mal-2025-5847
Vulnerability from ossf_malicious_packages
Published
2025-07-14 19:49
Modified
2025-12-31 02:45
Summary
Malicious code in vtk-osmesa (PyPI)
Details
-= Per source details. Do not edit below this line.=-
Source: kam193 (910e787804512eabe1c118f5347fed9f57ca936717e18a80d26622108d75399e)
During the installation, sensitive information are exfiltrated (incl. env variables)
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2025-07-vtk-osmesa
Reasons (based on the campaign):
-
exfiltration-env-variables
-
The package overrides the install command in setup.py to execute malicious code during installation.
-
The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.
Source: ossf-package-analysis (c7551fe96e5c82f2d015f2192ef59cb289a105d8549b9d18285d3fd33e7f1bf4)
The OpenSSF Package Analysis project identified 'vtk-osmesa' @ 900.548.735 (pypi) as malicious.
It is considered malicious because:
-
The package communicates with a domain associated with malicious activity.
-
The package executes one or more commands associated with malicious behavior.
Credits
OpenSSF: Package Analysis
github.com/ossf/package-analysis
openssf.slack.com/channels/package_analysis
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "vtk-osmesa"
},
"versions": [
"900.548.735",
"900.548.736",
"900.548.746",
"900.548.744",
"900.548.751",
"900.548.747",
"0.0.7",
"9.0.1",
"900.548.725",
"900.548.726",
"900.548.731",
"900.548.733",
"900.548.734",
"900.548.739",
"900.548.742",
"900.548.752"
]
}
],
"credits": [
{
"contact": [
"https://github.com/kam193",
"https://bad-packages.kam193.eu/"
],
"name": "Kamil Ma\u0144kowski (kam193)"
},
{
"contact": [
"https://github.com/kam193",
"https://bad-packages.kam193.eu/"
],
"name": "Kamil Ma\u0144kowski (kam193)",
"type": "REPORTER"
},
{
"contact": [
"https://github.com/ossf/package-analysis",
"https://openssf.slack.com/channels/package_analysis"
],
"name": "OpenSSF: Package Analysis",
"type": "FINDER"
}
],
"database_specific": {
"iocs": {
"domains": [
"deadly-polished-snail.ngrok-free.app"
]
},
"malicious-packages-origins": [
{
"import_time": "2025-07-14T20:06:56.917476661Z",
"modified_time": "2025-07-14T19:49:43Z",
"sha256": "c7551fe96e5c82f2d015f2192ef59cb289a105d8549b9d18285d3fd33e7f1bf4",
"source": "ossf-package-analysis",
"versions": [
"900.548.735"
]
},
{
"import_time": "2025-07-14T20:06:56.987789643Z",
"modified_time": "2025-07-14T20:01:28Z",
"sha256": "fbfa8dae1a6eed56bd9367ae529bbf25fac65af65e367d222b02b701c149210e",
"source": "ossf-package-analysis",
"versions": [
"900.548.736"
]
},
{
"import_time": "2025-07-14T21:06:04.010992795Z",
"modified_time": "2025-07-14T20:54:03Z",
"sha256": "61c30b8c639fc2130b0d95047bc880aa792747c9ea7bf54dcd2a36e1d3019739",
"source": "ossf-package-analysis",
"versions": [
"900.548.746"
]
},
{
"import_time": "2025-07-14T21:06:03.931802578Z",
"modified_time": "2025-07-14T20:47:21Z",
"sha256": "8309b0e4c8f1581d8b20bb4f161e856c87d46e367861eb44153b074406b1d2fe",
"source": "ossf-package-analysis",
"versions": [
"900.548.744"
]
},
{
"import_time": "2025-07-14T21:36:00.817326305Z",
"modified_time": "2025-07-14T21:19:47Z",
"sha256": "4751cac9deec1e341e0e7e761dfd8ea8c89830a61df5fd58841e242de8c0eb33",
"source": "ossf-package-analysis",
"versions": [
"900.548.751"
]
},
{
"import_time": "2025-07-14T21:36:00.646529624Z",
"modified_time": "2025-07-14T21:12:14Z",
"sha256": "ae51c0b2d806da87b9849d348545680dd2510318e9158cfeec9e03f2735e09f6",
"source": "ossf-package-analysis",
"versions": [
"900.548.747"
]
},
{
"id": "pypi/2025-07-vtk-osmesa/vtk-osmesa",
"import_time": "2025-12-02T22:30:55.71953731Z",
"modified_time": "2025-07-14T20:29:18.638467Z",
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"sha256": "4402cf1d7c9b050e1bba2b0ae07a4e73c7ba0255ee7b4cb05f9bf540055ee018",
"source": "kam193"
},
{
"id": "pypi/2025-07-vtk-osmesa/vtk-osmesa",
"import_time": "2025-12-02T23:07:18.758945512Z",
"modified_time": "2025-07-14T20:29:18.638467Z",
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
],
"sha256": "910e787804512eabe1c118f5347fed9f57ca936717e18a80d26622108d75399e",
"source": "kam193"
},
{
"id": "pypi/2025-07-vtk-osmesa/vtk-osmesa",
"import_time": "2025-12-10T21:38:57.928614273Z",
"modified_time": "2025-07-14T20:29:18.638467Z",
"sha256": "db413462206456c3d72b71effefb95ecbc50f84bba26ca3600c6592f9268db61",
"source": "kam193",
"versions": [
"0.0.7",
"9.0.1",
"900.548.725",
"900.548.726",
"900.548.731",
"900.548.733",
"900.548.734",
"900.548.735",
"900.548.736",
"900.548.739",
"900.548.742",
"900.548.747",
"900.548.746",
"900.548.744",
"900.548.751",
"900.548.752"
]
},
{
"id": "pypi/2025-07-vtk-osmesa/vtk-osmesa",
"import_time": "2025-12-30T22:39:04.208326894Z",
"modified_time": "2025-07-14T20:29:18.638467Z",
"sha256": "eb6b8a31b588385619a873ad0f75aadd35512e39b211404042970b917230644f",
"source": "kam193",
"versions": [
"0.0.7",
"9.0.1",
"900.548.725",
"900.548.726",
"900.548.731",
"900.548.733",
"900.548.734",
"900.548.735",
"900.548.736",
"900.548.739",
"900.548.742",
"900.548.744",
"900.548.746",
"900.548.747",
"900.548.751",
"900.548.752"
]
}
]
},
"details": "\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (910e787804512eabe1c118f5347fed9f57ca936717e18a80d26622108d75399e)\nDuring the installation, sensitive information are exfiltrated (incl. env variables)\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-07-vtk-osmesa\n\n\nReasons (based on the campaign):\n\n\n - exfiltration-env-variables\n\n\n - The package overrides the install command in setup.py to execute malicious code during installation.\n\n\n - The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.\n\n## Source: ossf-package-analysis (c7551fe96e5c82f2d015f2192ef59cb289a105d8549b9d18285d3fd33e7f1bf4)\nThe OpenSSF Package Analysis project identified \u0027vtk-osmesa\u0027 @ 900.548.735 (pypi) as malicious.\n\nIt is considered malicious because:\n\n- The package communicates with a domain associated with malicious activity.\n\n- The package executes one or more commands associated with malicious behavior.\n",
"id": "MAL-2025-5847",
"modified": "2025-12-31T02:45:16Z",
"published": "2025-07-14T19:49:43Z",
"references": [
{
"type": "WEB",
"url": "https://bad-packages.kam193.eu/pypi/package/vtk-osmesa"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in vtk-osmesa (PyPI)"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…