MAL-2024-5721
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/pyhttpproxifier/MAL-2024-5721.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/MAL-2024-5721
- Aliases
-
- SNYK-PYTHON-PYHTTPPROXIFIER-6139263
- Published
- 2024-06-25T13:40:09Z
- Modified
- 2025-12-31T02:56:14.846383Z
- Summary
- Malicious code in pyhttpproxifier (PyPI)
- Details
-
-= Per source details. Do not edit below this line.=-
## Source: kam193 (39705bbe10a91b3e2c4279406418971389f07807bb4544b10fb9710bdc0fb0ef)
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2023-11-update-information-endpoint
Reasons (based on the campaign):
obfuscation
The package overrides the install command in setup.py to execute malicious code during installation.
typosquatting
- Database specific
{ "malicious-packages-origins": [ { "sha256": "ea9afb1ee122cb2d9ac43a293fbf3fea7c76bab4ec771a45d718d9f5f5176ecb", "source": "reversing-labs", "id": "RLMA-2024-04507", "import_time": "2024-06-28T02:50:08.455059843Z", "versions": [ "0.9.3", "0.9.2" ], "modified_time": "2024-06-25T13:40:09Z" }, { "sha256": "dc55c4f27862e384c8f466b8b3ea8a784dd2afb75916767c22f811fe8f7f2163", "source": "reversing-labs", "id": "RLUA-2024-08945", "import_time": "2024-10-24T00:59:52.167946248Z", "modified_time": "2024-10-16T14:48:06Z" }, { "sha256": "39d1db7e77e25ff58111cef492a839286cbc3635cd7e50794cf218db3b111286", "source": "kam193", "id": "pypi/2023-11-update-information-endpoint/pyhttpproxifier", "import_time": "2025-12-02T22:30:55.469003578Z", "modified_time": "2024-08-09T19:17:59Z", "ranges": [ { "events": [ { "introduced": "0" } ], "type": "ECOSYSTEM" } ] }, { "sha256": "39705bbe10a91b3e2c4279406418971389f07807bb4544b10fb9710bdc0fb0ef", "source": "kam193", "id": "pypi/2023-11-update-information-endpoint/pyhttpproxifier", "import_time": "2025-12-02T23:07:18.493746593Z", "modified_time": "2024-08-09T19:17:59Z", "ranges": [ { "events": [ { "introduced": "0" } ], "type": "ECOSYSTEM" } ] }, { "sha256": "770fa96aa12f920d2c69a15706cf9b92c331e26693d4bf5c0f13f6d90b0cbda3", "source": "kam193", "id": "pypi/2023-11-update-information-endpoint/pyhttpproxifier", "import_time": "2025-12-10T21:38:57.707844753Z", "versions": [ "0.9.3", "0.9.2" ], "modified_time": "2024-08-09T19:17:59Z" }, { "sha256": "0c444844511c3332bbb9825a35cddb5b98af27df75ac5c8185a5597df5fbb75b", "source": "reversing-labs", "id": "RLUA-2025-06581", "import_time": "2025-12-24T10:07:36.689475746Z", "modified_time": "2025-12-23T08:39:26Z" }, { "sha256": "2395573889c3ebd57f5d26ad2da7316a45eccd28bb073635c7bb20c4fbb3a998", "source": "kam193", "id": "pypi/2023-11-update-information-endpoint/pyhttpproxifier", "import_time": "2025-12-30T22:39:04.144638818Z", "versions": [ "0.9.2", "0.9.3" ], "modified_time": "2024-08-09T19:17:59Z" } ] }- References
-
- https://medium.com/checkmarx-security/python-packages-leverage-github-to-deploy-fileless-malware-b6c281dea58f
- https://security.snyk.io/vuln/SNYK-PYTHON-PYHTTPPROXIFIER-6139263
- https://bad-packages.kam193.eu/pypi/package/pyhttpproxifier
- https://www.reversinglabs.com/blog/malware-leveraging-public-infrastructure-like-github-on-the-rise
- Credits
-
-
- Kamil Mańkowski (kam193)
-
- Kamil Mańkowski (kam193) - ANALYST
-
- ReversingLabs - FINDER
-
Affected packages
PyPI / pyhttpproxifier
Package
- Name
- pyhttpproxifier
- View open source insights on deps.dev
- Purl
- pkg:pypi/pyhttpproxifier