Ingest OSV - Cloud Storage

github-actions · github-actions · commit 31779520e12d · 2026-03-23T09:52:14.000Z
diff --git a/config/start-keys.yaml b/config/start-keys.yaml
@@ -1,7 +1,7 @@
 amazon-inspector:
     IN-MAL-: IN-MAL-2026-001146.json
 kam193:
-    pypi/packages/malicious/osv/: b932b10941d7ade9418ead599627d27f09c7748a
+    pypi/packages/malicious/osv/: 7767a1665d0e56f2496b7db0e66262c1381f2f1c
     pypi/packages/pentest/osv/: 0d65fa30569acb74a4cd2f6968297f9cf794b510
     pypi/packages/probably_pentest/osv/: dbfe89897c1972febd30846186aef4b82af004cd
 ossf-package-analysis:
diff --git a/osv/malicious/pypi/license-utils-kit/MAL-0000-kam193-62f1d552063d20e6.json b/osv/malicious/pypi/license-utils-kit/MAL-0000-kam193-62f1d552063d20e6.json
@@ -0,0 +1,64 @@
+{
+  "modified": "2026-03-23T09:41:24Z",
+  "published": "2026-03-23T09:41:24Z",
+  "schema_version": "1.7.4",
+  "id": "",
+  "summary": "Malicious code in license-utils-kit (PyPI)",
+  "details": "Malicious clone of legitimate \"license\" package. When using the find_by_key function, the malicious code from strongly obfuscated files is loaded. It then at least collects data from cryptowallets and password managers and exfiltrate them to a hardcoded remote location.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-03-license-utils-kit\n\n\nReasons (based on the campaign):\n\n\n - clones-real-package\n\n\n - action-hidden-in-lib-usage\n\n\n - infostealer\n\n\n - crypto-related\n\n\n - obfuscation\n\n\n - exfiltration-credentials\n\n",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "license-utils-kit"
+      },
+      "versions": [
+        "0.1a0",
+        "0.1a1",
+        "0.1b1",
+        "0.1b2",
+        "0.1b3",
+        "0.1b4"
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://bad-packages.kam193.eu/pypi/package/license-utils-kit"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Kamil Mańkowski (kam193)",
+      "type": "REPORTER",
+      "contact": [
+        "https://github.com/kam193",
+        "https://bad-packages.kam193.eu/"
+      ]
+    }
+  ],
+  "database_specific": {
+    "iocs": {
+      "ips": [
+        "66.45.225.94"
+      ]
+    },
+    "malicious-packages-origins": [
+      {
+        "source": "kam193",
+        "sha256": "62f1d552063d20e655d715a6f7309c0af7776c3e23d3ae6d3f9c95148a751d93",
+        "import_time": "2026-03-23T09:52:03.22990555Z",
+        "id": "pypi/2026-03-license-utils-kit/license-utils-kit",
+        "modified_time": "2026-03-23T09:41:24.830461Z",
+        "versions": [
+          "0.1a0",
+          "0.1a1",
+          "0.1b1",
+          "0.1b2",
+          "0.1b3",
+          "0.1b4"
+        ]
+      }
+    ]
+  }
+}
