{"id":"MAL-2025-998","summary":"Malicious code in trove4j (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (d9c0dbfcd94c11b086cf83f69796c321829bdd64c2ebe53d8f74a72d46e465b0)\nImporting the module triggers sending out the hostname to the package author. It looks to be a placeholder/pentest activity related to BytedDance.\n\n\n---\n\nCategory: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.\n\n\nCampaign: 2024-11-0wn-sh\n\n\nReasons (based on the campaign):\n\n\n - The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.\n","modified":"2026-03-19T13:05:15.521496Z","published":"2024-11-29T13:03:21Z","database_specific":{"malicious-packages-origins":[{"import_time":"2025-02-03T18:38:10.072414502Z","sha256":"9c18f5370b5400f7a98f098e11832e4de4522532ae31581643a9cb457d746894","source":"reversing-labs","versions":["0.1.1"],"id":"RLMA-2025-00539","modified_time":"2025-02-03T17:08:01Z"},{"sha256":"5e606c73142c693ff25bdb051de53e863e37ac4ea4740abe54eefea7be0896cf","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"source":"kam193","import_time":"2025-12-02T22:30:56.472388733Z","id":"pypi/2024-11-0wn-sh/trove4j","modified_time":"2024-11-29T13:03:21Z"},{"sha256":"d9c0dbfcd94c11b086cf83f69796c321829bdd64c2ebe53d8f74a72d46e465b0","ranges":[{"events":[{"introduced":"0"}],"type":"ECOSYSTEM"}],"source":"kam193","import_time":"2025-12-02T23:07:19.656256154Z","id":"pypi/2024-11-0wn-sh/trove4j","modified_time":"2024-11-29T13:03:21Z"},{"import_time":"2025-12-10T21:38:58.75314547Z","sha256":"e1b5575c0858eb262f70c8dd8a3f395deac7292d3ed0315d13fb47ec5d353794","source":"kam193","versions":["0.1.1"],"id":"pypi/2024-11-0wn-sh/trove4j","modified_time":"2024-11-29T13:03:21Z"},{"sha256":"5a0c5cbc1a91dd8e492a4e23c4f3d79db4dd69b000de93bfe476aa034367f787","source":"reversing-labs","import_time":"2026-03-19T12:20:38.035259795Z","id":"RLUA-2026-00864","modified_time":"2026-03-18T12:19:55Z"}],"iocs":{"domains":["0wn.sh"]}},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/trove4j"}],"affected":[{"package":{"name":"trove4j","ecosystem":"PyPI","purl":"pkg:pypi/trove4j"},"versions":["0.1.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/trove4j/MAL-2025-998.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"ANALYST"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}