Skip to content

MALICIOUS (1) package from Python Package Index.

  1. The campaign has clearly malicious intent, like infostealers.

pyapiepo

  1. May not be available. See more in pypi-json-data repository.
  2. Version numbers are currently not tracked. Assume all versions are affected.

Campaign data

Campaign information may not always be 100% accurate for every related package.

Campaign description

Campaign is split into multiple packages that altogether exfiltrates data from desktop Telegram application.

  1. "pyapiepo" is a cover package that provides some useless features BUT also imports "zscaner"
  2. "zscaner", when imported, automatically runs a function that is an entry point to the whole process; it uses the "scan" from "reqinstall" to walk through directories. The package also provides main logic: filtering files, triggering archiving directories and exfiltrating them.
  3. "reqinstall" ensures "requests" are installed and provides a directory tree scanning function.
  4. "zmaker" provides functions to build archives from collected files.
  5. "zsender" provides functions to exfiltrate data, the remote URL and a function to deobfuscate configuration in other packages.

Altogether, they look for "Telegram Desktop" folder, archive user data stored there and exfiltrate to a remote location.

See more details on the campaign page.

exfiltration_generic

Campaign targets exfiltration_generic.

target:telegram

Campaign targets target:telegram.

through_dependency

The malicious code is intentionally included in a dependency of the package