{"schema_version":"1.7.5","id":"MAL-2025-191646","published":"2025-10-16T20:06:59Z","modified":"2026-03-19T12:54:26.708664Z","summary":"Malicious code in makronlox (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: kam193 (f918d3ae448737e8a58e16ad57af3037e27ba8ab02fef22ba6e0b4f6f2c49e1a)\nPackage automatically download and runs an executable, which then imitates a malicious action and requests ransom payment.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2025-10-makronlox\n\n\nReasons (based on the campaign):\n\n\n - Downloads and executes a remote executable.\n","affected":[{"package":{"name":"makronlox","ecosystem":"PyPI","purl":"pkg:pypi/makronlox"},"versions":["0.1.0","0.1.1"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/makronlox/MAL-2025-191646.json"}}],"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/makronlox"}],"database_specific":{"iocs":{"urls":["https://www.dropbox.com/scl/fi/19qqc7egp8py7t7ov659m/123.exe?rlkey=oc0nbftrgxo4avtee5grwbmqi&st=8q0bp98n&dl=1"]},"malicious-packages-origins":[{"id":"RLMA-2025-05618","import_time":"2025-12-02T09:09:38.274159953Z","modified_time":"2025-12-01T12:54:39Z","sha256":"47be8a7e5f1940d95c2347fecd3bb6c7f27e108baa8e7d05164057ab477e35a1","source":"reversing-labs","versions":["0.1.0","0.1.1"]},{"id":"pypi/2025-10-makronlox/makronlox","import_time":"2025-12-02T22:30:55.322055382Z","modified_time":"2025-10-16T20:06:59.603962Z","sha256":"17abd14fe59573528e2f3cb5f17962f31547b060a04b3ba386d914ee0a2da190","source":"kam193","versions":["0.1.1","0.1.0"]},{"id":"pypi/2025-10-makronlox/makronlox","import_time":"2025-12-02T23:07:18.349510064Z","modified_time":"2025-10-16T20:06:59.603962Z","sha256":"f918d3ae448737e8a58e16ad57af3037e27ba8ab02fef22ba6e0b4f6f2c49e1a","source":"kam193","versions":["0.1.1","0.1.0"]},{"id":"pypi/2025-10-makronlox/makronlox","import_time":"2025-12-30T22:39:04.124783434Z","modified_time":"2025-10-16T20:06:59.603962Z","sha256":"972236288ab417e0cd3764ea452ba8812663a2ea575fffbc47bc34d4c9387d63","source":"kam193","versions":["0.1.0","0.1.1"]},{"id":"RLUA-2026-00488","import_time":"2026-03-19T12:20:01.036027873Z","modified_time":"2026-03-18T12:15:47Z","sha256":"a8e8182c2a32d7548945d394510b18fc41147847c423b9ebbcd7c17a2fa37d9e","source":"reversing-labs"}]},"credits":[{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"]},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"ReversingLabs","contact":["https://www.reversinglabs.com"],"type":"FINDER"}]}