MAL-2025-3014

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/w3socket/MAL-2025-3014.json

JSON Data

https://api.test.osv.dev/v1/vulns/MAL-2025-3014

Published

2025-02-17T10:36:37Z

Modified

2025-12-03T00:25:01.731082Z

Summary

Malicious code in w3socket (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: kam193 (729a8001d69369db2b822c1a13ba9363d3dad46299a6ced4e52ab604c3261ec4)

web3socket: In the class there is a hidden code that loads a binary Python code from a remote location impersonating PyPI Github account web3node: The package is used to download and run remote code by other packages. Files darwin.py, gnu.py and win32.py contain code that adds executing remote code to the crontab as well as an attempt to escalate privileges. w3socket: It uses web3node to start remote code in config.py

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-02-web3socket

Reasons (based on the campaign):

dependency-confusion
impersonation
Downloads and executes a remote malicious script.

Database specific

{
    "iocs": {
        "urls": [
            "https://raw.githubusercontent.com/pypi-org/DynamicLibs/refs/heads/main/web3config.pyc",
            "https://github.com/pypi-org/web3sockcet",
            "https://saboreysecretos.com/wp-includes/assets/script-modules-packages.win.php?u=2"
        ],
        "domains": [
            "saboreysecretos.com"
        ]
    },
    "malicious-packages-origins": [
        {
            "import_time": "2025-03-31T07:07:07.304757137Z",
            "sha256": "02827c7665179ae3b0de814e4e26d33e46361e6c3d470277311e814d1545be07",
            "versions": [
                "0.1.1"
            ],
            "id": "RLMA-2025-02013",
            "modified_time": "2025-03-28T13:06:29Z",
            "source": "reversing-labs"
        },
        {
            "import_time": "2025-12-02T22:30:55.723096371Z",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "ECOSYSTEM"
                }
            ],
            "id": "pypi/2025-02-web3socket/w3socket",
            "sha256": "c037b4c528e4a66879f4f1963660065ea4ca715f4b52d60ee31f7e067b496cf5",
            "modified_time": "2025-02-17T10:36:37Z",
            "source": "kam193"
        },
        {
            "import_time": "2025-12-02T23:07:18.762984767Z",
            "ranges": [
                {
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ],
                    "type": "ECOSYSTEM"
                }
            ],
            "id": "pypi/2025-02-web3socket/w3socket",
            "sha256": "729a8001d69369db2b822c1a13ba9363d3dad46299a6ced4e52ab604c3261ec4",
            "modified_time": "2025-02-17T10:36:37Z",
            "source": "kam193"
        }
    ]
}

References

Credits

- Kamil Mańkowski (kam193)
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- ReversingLabs - FINDER
- - https://www.reversinglabs.com

Affected packages

PyPI / w3socket

Package

Name: w3socket; View open source insights on deps.dev
Purl: pkg:pypi/w3socket

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.1.1