MAL-2024-11540

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/botoceor/MAL-2024-11540.json

JSON Data

https://api.test.osv.dev/v1/vulns/MAL-2024-11540

Published

2024-09-20T11:29:31Z

Modified

2025-12-12T20:39:33.066785Z

Summary

Malicious code in botoceor (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (8bf39054053dfe99fc83c836bb407659d11241cc09f2572a72524d980b9c5914)

During installation, a cryptominer is secretly installed and started.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2024-09-bondonioanderas-cryptominer

Reasons (based on the campaign):

cryptominer
The package overrides the install command in setup.py to execute malicious code during installation.
obfuscation

Database specific

{
    "iocs": {
        "urls": [
            "https://raw.githubusercontent.com/MoneroOcean/xmrig_setup/master/setup_moneroocean_miner.sh"
        ]
    },
    "malicious-packages-origins": [
        {
            "source": "reversing-labs",
            "import_time": "2024-12-09T14:38:41.420328255Z",
            "id": "RLMA-2024-10985",
            "sha256": "07eb844da3012a034cb8acc4534f4198e3627b63c3fb678017249b509818dcca",
            "modified_time": "2024-12-09T06:49:52Z",
            "versions": [
                "0.1"
            ]
        },
        {
            "source": "kam193",
            "import_time": "2025-12-02T22:30:55.001798311Z",
            "id": "pypi/2024-09-bondonioanderas-cryptominer/botoceor",
            "sha256": "19e6df8abf96daa2ced23c34ef497ec4f4fa782a5b4abb5f3139dd94683dee75",
            "modified_time": "2024-09-20T11:29:31Z",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ]
        },
        {
            "source": "kam193",
            "import_time": "2025-12-02T23:07:18.030240224Z",
            "id": "pypi/2024-09-bondonioanderas-cryptominer/botoceor",
            "sha256": "8bf39054053dfe99fc83c836bb407659d11241cc09f2572a72524d980b9c5914",
            "modified_time": "2024-09-20T11:29:31Z",
            "ranges": [
                {
                    "type": "ECOSYSTEM",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ]
        },
        {
            "source": "kam193",
            "import_time": "2025-12-10T21:38:57.32366575Z",
            "id": "pypi/2024-09-bondonioanderas-cryptominer/botoceor",
            "sha256": "c5323cd4176dc1507347795fc60454aeb580718b10e144958af3fa3770b9a8c1",
            "modified_time": "2024-09-20T11:29:31Z",
            "versions": [
                "0.1"
            ]
        }
    ]
}

References

https://bad-packages.kam193.eu/pypi/package/botoceor

Credits

- Kamil Mańkowski (kam193)
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- Kamil Mańkowski (kam193) - ANALYST
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- ReversingLabs - FINDER
- - https://www.reversinglabs.com

Affected packages

PyPI / botoceor

Package

Name: botoceor; View open source insights on deps.dev
Purl: pkg:pypi/botoceor

Affected ranges

Affected versions

0.*

0.1

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/botoceor/MAL-2024-11540.json"