MALICIOUS (1) package from Python Package Index.
- The campaign has clearly malicious intent, like infostealers.
schemavault¶
Affected versions: (1) 4.1.0, 4.1.1
- Version numbers are usually added automatically. In most cases, the packages listed here were created only to distribute malicious code.
Campaign data¶
Campaign information may not always be 100% accurate for every related package.
Campaign description
The campaign consists of multiple packages. The trigger sits in the package 'procwire,' which depends on two others. During installation, procwire uses schemavault and bytekit packages. The first one holds the URL holding malware (in two places, once as steganography in the bundled image and once as a fallback just as a list of encoded bytes). The bytekit implements simple custom decoding used to retrieve back the URL in the fallback method. Additionally, procwire is also a dependency of confighub, turning another package into malware. The downloaded executable is run and quickly removed. The executable likely contains an infostealer and contacts the domain 030502[.]xyz
See more details on the campaign page.
malware
Package contains or installs known malware.
obfuscation
Code uses obfuscation techniques to hide its true purpose.
override_install
The package overrides the install command in setup.py to execute malicious code during installation.
remote_executable
Downloads and executes a remote executable.
steganography
The package uses steganography techniques to hide malicious data
through_dependency
The malicious code is intentionally included in a dependency of the package
Look up in other services¶
- Check metadata in pypi-data project (1)
- Search for the package in deps.dev(2)
- Search for the package in socket.dev (3)
- Search for the package in secure.software (4)
- Search for the package in Snyk Advisor (5)
- May not be available. See more in pypi-json-data repository.
- Open Source Insights project, provided by Google.
- Service from Socket.dev, a cybersecurity company.
- Spectra Assure Community, a service from ReversingLabs, a cybersecurity company.
- Service from Snyk, a cybersecurity company.