Ingest OSV - Cloud Storage

github-actions · github-actions · commit 12c826e5732f · 2026-03-20T13:30:35.000Z
diff --git a/config/start-keys.yaml b/config/start-keys.yaml
@@ -1,7 +1,7 @@
 amazon-inspector:
     IN-MAL-: IN-MAL-2026-000461.json
 kam193:
-    pypi/packages/malicious/osv/: 707400e145d01e3da96ebfb26a7dc761071a8679
+    pypi/packages/malicious/osv/: 158b9c4709a954c2b3d2d42661ed195bea239bcb
     pypi/packages/pentest/osv/: 0d65fa30569acb74a4cd2f6968297f9cf794b510
     pypi/packages/probably_pentest/osv/: 35f59069e67ec2e539784d8a8df54bce0b7a7b74
 ossf-package-analysis:
diff --git a/osv/malicious/pypi/cfgmgr-syn/MAL-0000-kam193-ea20f8a566abc23f.json b/osv/malicious/pypi/cfgmgr-syn/MAL-0000-kam193-ea20f8a566abc23f.json
@@ -0,0 +1,59 @@
+{
+  "modified": "2026-03-20T13:12:40Z",
+  "published": "2026-03-20T13:12:40Z",
+  "schema_version": "1.7.4",
+  "id": "",
+  "summary": "Malicious code in cfgmgr-syn (PyPI)",
+  "details": "The code exfiltrates content copied to clipboard content to a hardcoded location. The code is obfuscated and has a persistence mechanism.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-03-cfgmgr-syn\n\n\nReasons (based on the campaign):\n\n\n - clipboard-stealing\n\n\n - obfuscation\n\n\n - exfiltration-generic\n\n\n - persistence\n\n",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "cfgmgr-syn"
+      },
+      "versions": [
+        "1.0.26",
+        "1.0.27"
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://bad-packages.kam193.eu/pypi/package/cfgmgr-syn"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Kamil Mańkowski (kam193)",
+      "type": "ANALYST",
+      "contact": [
+        "https://github.com/kam193",
+        "https://bad-packages.kam193.eu/"
+      ]
+    }
+  ],
+  "database_specific": {
+    "iocs": {
+      "ips": [
+        "204.10.194.247"
+      ],
+      "urls": [
+        "http://204.10.194.247:8765"
+      ]
+    },
+    "malicious-packages-origins": [
+      {
+        "source": "kam193",
+        "sha256": "ea20f8a566abc23f4b1d13543234fad04a3f791af173dd3dd3024bd93c3308c9",
+        "import_time": "2026-03-20T13:30:24.776264837Z",
+        "id": "pypi/2026-03-cfgmgr-syn/cfgmgr-syn",
+        "modified_time": "2026-03-20T13:12:40.302389Z",
+        "versions": [
+          "1.0.26",
+          "1.0.27"
+        ]
+      }
+    ]
+  }
+}
diff --git a/osv/malicious/pypi/cfgmgr-sync/MAL-0000-kam193-e3f72f18351a20c1.json b/osv/malicious/pypi/cfgmgr-sync/MAL-0000-kam193-e3f72f18351a20c1.json
@@ -0,0 +1,75 @@
+{
+  "modified": "2026-03-20T13:13:33Z",
+  "published": "2026-03-20T13:13:33Z",
+  "schema_version": "1.7.4",
+  "id": "",
+  "summary": "Malicious code in cfgmgr-sync (PyPI)",
+  "details": "The code exfiltrates content copied to clipboard content to a hardcoded location. The code is obfuscated and has a persistence mechanism.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-03-cfgmgr-syn\n\n\nReasons (based on the campaign):\n\n\n - clipboard-stealing\n\n\n - obfuscation\n\n\n - exfiltration-generic\n\n\n - persistence\n\n",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "cfgmgr-sync"
+      },
+      "versions": [
+        "1.0.0",
+        "1.0.1",
+        "1.0.2",
+        "1.0.3",
+        "1.0.4",
+        "1.0.5",
+        "1.0.6",
+        "1.0.7",
+        "1.0.8",
+        "1.0.9"
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://bad-packages.kam193.eu/pypi/package/cfgmgr-sync"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Kamil Mańkowski (kam193)",
+      "type": "ANALYST",
+      "contact": [
+        "https://github.com/kam193",
+        "https://bad-packages.kam193.eu/"
+      ]
+    }
+  ],
+  "database_specific": {
+    "iocs": {
+      "ips": [
+        "204.10.194.247"
+      ],
+      "urls": [
+        "http://204.10.194.247:8765"
+      ]
+    },
+    "malicious-packages-origins": [
+      {
+        "source": "kam193",
+        "sha256": "e3f72f18351a20c172ef8154055917c9e977fe782b32a4716faed582d67f3071",
+        "import_time": "2026-03-20T13:30:24.778242797Z",
+        "id": "pypi/2026-03-cfgmgr-syn/cfgmgr-sync",
+        "modified_time": "2026-03-20T13:13:33.431911Z",
+        "versions": [
+          "1.0.0",
+          "1.0.1",
+          "1.0.2",
+          "1.0.3",
+          "1.0.4",
+          "1.0.5",
+          "1.0.6",
+          "1.0.7",
+          "1.0.8",
+          "1.0.9"
+        ]
+      }
+    ]
+  }
+}
