{"id":"MAL-2025-933","summary":"Malicious code in httpfluent (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (ad45caa6ad5e9c6f356193dc378e801a9fd3846f04443ad9d6c841b0b2e80c62)\nThe package contains highly obfuscated content, that install another, downloaded from a remote location obfuscated script in the installation path of the 'requests' package, and marks it as a hidden system file. In addition, another file contains a code that imitates doing some meaningful activity.\n\nLater attempts hide the malicious code in a separated package, downloaded from Test PyPI.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2024-12-httpfluent\n\n\nReasons (based on the campaign):\n\n\n - obfuscation\n\n\n - modify-system-without-consent\n\n\n - Downloads and executes a remote malicious script.\n","modified":"2026-03-19T13:00:36.093957Z","published":"2024-12-14T16:26:57Z","database_specific":{"iocs":{"urls":["https://raw.githubusercontent.com/Red-haired-shanks-1337/repuests/refs/heads/main/puts.py","https://test.pypi.org/simple/httpfluent/","https://github.com/Red-haired-shanks-1337/Rwoka/raw/main/v0.1.0/httpfluent-0.1.tar.gz"]},"malicious-packages-origins":[{"modified_time":"2025-02-03T17:07:27Z","source":"reversing-labs","import_time":"2025-02-03T18:38:06.743651837Z","id":"RLMA-2025-00473","sha256":"4e73b5f66facaaa11e1daa9c06e23aa0178e8b099e72a069330c0e8dd4deea2a","versions":["0.1"]},{"modified_time":"2024-12-14T16:26:57Z","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"source":"kam193","import_time":"2025-12-02T22:30:55.255655926Z","id":"pypi/2024-12-httpfluent/httpfluent","sha256":"940d605085fe152f746a007c5562894c592b62c594ef90484a9a8b4ecf98e9f3"},{"modified_time":"2024-12-14T16:26:57Z","ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"source":"kam193","import_time":"2025-12-02T23:07:18.278410719Z","id":"pypi/2024-12-httpfluent/httpfluent","sha256":"ad45caa6ad5e9c6f356193dc378e801a9fd3846f04443ad9d6c841b0b2e80c62"},{"modified_time":"2024-12-14T16:26:57Z","source":"kam193","import_time":"2025-12-10T21:38:57.530906181Z","id":"pypi/2024-12-httpfluent/httpfluent","sha256":"1c881f912c7c5f72b17522315b5a987903debb8761bb10e3aa5ca935181fc71e","versions":["0.1"]},{"modified_time":"2026-03-18T12:14:43Z","source":"reversing-labs","import_time":"2026-03-19T12:19:52.470941183Z","id":"RLUA-2026-00397","sha256":"53d979e2a65cc9975ca9c23de2e71163e1549b7df6d8cf1a01f6661711e6c34a"}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/httpfluent"}],"affected":[{"package":{"name":"httpfluent","ecosystem":"PyPI","purl":"pkg:pypi/httpfluent"},"versions":["0.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/httpfluent/MAL-2025-933.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}