Skip to content

MALICIOUS (1) package from Python Package Index.

  1. The campaign has clearly malicious intent, like infostealers.

ipa-user-collector

Affected versions: (1) 8.5.3

  1. Version numbers are usually added automatically. In most cases, the packages listed here were created only to distribute malicious code.

Campaign data

Campaign information may not always be 100% accurate for every related package.

Campaign description

During installation the obfuscated code downloads a malicious executable from a remote location. Code is designed to survive different blocks: first, there is an attempt to download the executable from one of five Cloudflare Workers. If it's not successful, the code falls back to download using DNS: first, it gets a TXT record from c.lin.dl.wel1[.]ru. This record returns a number, which is then used to iterate over domains in the form <0...n>.lin.dl.wel1[.]r and reconstruct the encoded executable from their TXT records. The executable is finally saved under a partially random name, executed, and removed after execution. The Linux executable contacts a few domains, but there is no more detailed information about its behavior available.

See more details on the campaign page.

covering-tracks

The package contains code to cover its tracks, e.g. by deleting malicious code after execution.

dependency-confusion

An attempt to exploit dependency confusion

malware

Package contains or installs known malware.

obfuscation

Code uses obfuscation techniques to hide its true purpose.

other

Campaign targets other.

override_install

The package overrides the install command in setup.py to execute malicious code during installation.

remote_executable

Downloads and executes a remote executable.

targetted-attack

Campaign targets targetted-attack.

Look up in other services

  1. May not be available. See more in pypi-json-data repository.
  2. Open Source Insights project, provided by Google.
  3. Service from Socket.dev, a cybersecurity company.
  4. Spectra Assure Community, a service from ReversingLabs, a cybersecurity company.
  5. Service from Snyk, a cybersecurity company.