{"id":"MAL-2026-7015","summary":"Malicious code in turbom (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (64978153f8a987180b6c8e88b5787598ed949a604527f0098271f97d8c66a235)\nStarting version 1.0.1, the package contains obfuscated code and embedded binary that is executed during the import, sharing many similarities with package oxntime. The embedded seems to act as a guard for further execution, with some sandbox evasion techniques and time-based actions.\n\nPrior to 1.0.1, the package offered obfuscation techniques.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-07-oxntime\n\n\nReasons (based on the campaign):\n\n\n - obfuscation\n\n\n - The package contains code to detect if it is running in a sandbox environment.\n\n\n - target:android\n\n\n - covering-tracks\n","modified":"2026-07-08T17:46:37.046975930Z","published":"2026-07-08T16:50:17Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-07-08T16:50:17.62034Z","sha256":"64978153f8a987180b6c8e88b5787598ed949a604527f0098271f97d8c66a235","source":"kam193","versions":["1.0.0","1.0.1"],"id":"pypi/2026-07-oxntime/turbom","import_time":"2026-07-08T17:40:22.113281427Z"}]},"references":[{"type":"EVIDENCE","url":"https://www.virustotal.com/gui/file/af85ade822327a06cc91ad28aa6344c745742d613bcd04d09a456367c15b2e87/detection"},{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/turbom"}],"affected":[{"package":{"name":"turbom","ecosystem":"PyPI","purl":"pkg:pypi/turbom"},"versions":["1.0.0","1.0.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/turbom/MAL-2026-7015.json"}}],"schema_version":"1.7.5","credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}