ossf
diff --git a/‎config/start-keys.yaml‎
Lines changed: 1 addition & 1 deletion b/‎config/start-keys.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎osv/malicious/pypi/apply-hive-table/MAL-0000-kam193-e7b05867320d1142.json‎
Lines changed: 78 additions & 0 deletions b/‎osv/malicious/pypi/apply-hive-table/MAL-0000-kam193-e7b05867320d1142.json‎
Lines changed: 78 additions & 0 deletions
diff --git a/‎osv/malicious/pypi/dmclc/MAL-0000-kam193-98824533b2b8d261.json‎
Lines changed: 92 additions & 0 deletions b/‎osv/malicious/pypi/dmclc/MAL-0000-kam193-98824533b2b8d261.json‎
Lines changed: 92 additions & 0 deletions
diff --git a/‎osv/malicious/pypi/financial-crimes-general-utils/MAL-0000-kam193-0a25418866ddab42.json‎
Lines changed: 76 additions & 0 deletions b/‎osv/malicious/pypi/financial-crimes-general-utils/MAL-0000-kam193-0a25418866ddab42.json‎
Lines changed: 76 additions & 0 deletions
diff --git a/‎osv/malicious/pypi/modelconftranslator/MAL-0000-kam193-e1d918db23be048d.json‎
Lines changed: 76 additions & 0 deletions b/‎osv/malicious/pypi/modelconftranslator/MAL-0000-kam193-e1d918db23be048d.json‎
Lines changed: 76 additions & 0 deletions
@@ -1,7 +1,7 @@
 amazon-inspector:
     IN-MAL-: IN-MAL-2026-001146.json
 kam193:
-    pypi/packages/malicious/osv/: 1c857e3aa965de45eb2db2c4058207c7517f3a7a
+    pypi/packages/malicious/osv/: fe1f949320bda082835e6129c3e4c1f34308da30
     pypi/packages/pentest/osv/: 0d65fa30569acb74a4cd2f6968297f9cf794b510
     pypi/packages/probably_pentest/osv/: dbfe89897c1972febd30846186aef4b82af004cd
 ossf-package-analysis:
 
@@ -0,0 +1,78 @@
+{
+  "modified": "2026-03-23T14:19:12Z",
+  "published": "2026-03-23T14:19:12Z",
+  "schema_version": "1.7.4",
+  "id": "",
+  "summary": "Malicious code in apply-hive-table (PyPI)",
+  "details": "In specific environments, during installation, the package attempts to exfiltrate some basic information using DNS requests and then cover tracks by installing a similarly named package from the local private repository\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-02-urllib-slim\n\n\nReasons (based on the campaign):\n\n\n - typosquatting\n\n\n - Downloads and executes a remote executable.\n\n\n - obfuscation\n\n\n - dependency-confusion\n\n",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "apply-hive-table"
+      },
+      "versions": [
+        "3.1.4",
+        "3.1.5"
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "EVIDENCE",
+      "url": "https://www.virustotal.com/gui/file/d6029cce705b3842042106efb737c8b14eb736fdbfb8d0d03c3dfbc8d6c207a5?nocache=1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/loudpage5125"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/geekennedy/"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/GCLNS"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bad-packages.kam193.eu/pypi/package/apply-hive-table"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Kamil Mańkowski (kam193)",
+      "type": "REPORTER",
+      "contact": [
+        "https://github.com/kam193",
+        "https://bad-packages.kam193.eu/"
+      ]
+    }
+  ],
+  "database_specific": {
+    "iocs": {
+      "domains": [
+        "1r.vc",
+        "i.1r.vc"
+      ],
+      "urls": [
+        "https://storage.googleapis.com/py-pi/python_mac",
+        "https://storage.googleapis.com/py-pi/python_rhel",
+        "https://storage.googleapis.com/py-pi/python_win"
+      ]
+    },
+    "malicious-packages-origins": [
+      {
+        "source": "kam193",
+        "sha256": "e7b05867320d1142c959aa2d1ce4a6cf7fcef12cdb7620cbede9b145204da4f4",
+        "import_time": "2026-03-23T20:16:57.844311604Z",
+        "id": "pypi/2026-02-urllib-slim/apply-hive-table",
+        "modified_time": "2026-03-23T14:19:12.089912Z",
+        "versions": [
+          "3.1.4",
+          "3.1.5"
+        ]
+      }
+    ]
+  }
+}
@@ -0,0 +1,92 @@
+{
+  "modified": "2026-03-23T14:05:43Z",
+  "published": "2026-03-23T14:05:43Z",
+  "schema_version": "1.7.4",
+  "id": "",
+  "summary": "Malicious code in dmclc (PyPI)",
+  "details": "In specific environments, during installation, the package attempts to exfiltrate some basic information using DNS requests and then cover tracks by installing a similarly named package from the local private repository\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-02-urllib-slim\n\n\nReasons (based on the campaign):\n\n\n - typosquatting\n\n\n - Downloads and executes a remote executable.\n\n\n - obfuscation\n\n\n - dependency-confusion\n\n",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "dmclc"
+      },
+      "versions": [
+        "2.1.0",
+        "2.1.1",
+        "2.1.2",
+        "2.1.3",
+        "2.1.5",
+        "2.1.6",
+        "2.1.7",
+        "2.1.9",
+        "2.1.10"
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "EVIDENCE",
+      "url": "https://www.virustotal.com/gui/file/d6029cce705b3842042106efb737c8b14eb736fdbfb8d0d03c3dfbc8d6c207a5?nocache=1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/loudpage5125"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/geekennedy/"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/GCLNS"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bad-packages.kam193.eu/pypi/package/dmclc"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Kamil Mańkowski (kam193)",
+      "type": "REPORTER",
+      "contact": [
+        "https://github.com/kam193",
+        "https://bad-packages.kam193.eu/"
+      ]
+    }
+  ],
+  "database_specific": {
+    "iocs": {
+      "domains": [
+        "1r.vc",
+        "i.1r.vc"
+      ],
+      "urls": [
+        "https://storage.googleapis.com/py-pi/python_mac",
+        "https://storage.googleapis.com/py-pi/python_rhel",
+        "https://storage.googleapis.com/py-pi/python_win"
+      ]
+    },
+    "malicious-packages-origins": [
+      {
+        "source": "kam193",
+        "sha256": "98824533b2b8d26131cde65c6fee280bde414c4810f83d56b6b5f59fc7131df5",
+        "import_time": "2026-03-23T20:16:57.84615076Z",
+        "id": "pypi/2026-02-urllib-slim/dmclc",
+        "modified_time": "2026-03-23T14:05:43.559439Z",
+        "versions": [
+          "2.1.0",
+          "2.1.1",
+          "2.1.2",
+          "2.1.3",
+          "2.1.5",
+          "2.1.6",
+          "2.1.7",
+          "2.1.9",
+          "2.1.10"
+        ]
+      }
+    ]
+  }
+}
@@ -0,0 +1,76 @@
+{
+  "modified": "2026-03-23T13:56:01Z",
+  "published": "2026-03-23T13:56:01Z",
+  "schema_version": "1.7.4",
+  "id": "",
+  "summary": "Malicious code in financial-crimes-general-utils (PyPI)",
+  "details": "In specific environments, during installation, the package attempts to exfiltrate some basic information using DNS requests and then cover tracks by installing a similarly named package from the local private repository\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-02-urllib-slim\n\n\nReasons (based on the campaign):\n\n\n - typosquatting\n\n\n - Downloads and executes a remote executable.\n\n\n - obfuscation\n\n\n - dependency-confusion\n\n",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "financial-crimes-general-utils"
+      },
+      "versions": [
+        "3.9.12"
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "EVIDENCE",
+      "url": "https://www.virustotal.com/gui/file/d6029cce705b3842042106efb737c8b14eb736fdbfb8d0d03c3dfbc8d6c207a5?nocache=1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/loudpage5125"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/geekennedy/"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/GCLNS"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bad-packages.kam193.eu/pypi/package/financial-crimes-general-utils"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Kamil Mańkowski (kam193)",
+      "type": "REPORTER",
+      "contact": [
+        "https://github.com/kam193",
+        "https://bad-packages.kam193.eu/"
+      ]
+    }
+  ],
+  "database_specific": {
+    "iocs": {
+      "domains": [
+        "1r.vc",
+        "i.1r.vc"
+      ],
+      "urls": [
+        "https://storage.googleapis.com/py-pi/python_mac",
+        "https://storage.googleapis.com/py-pi/python_rhel",
+        "https://storage.googleapis.com/py-pi/python_win"
+      ]
+    },
+    "malicious-packages-origins": [
+      {
+        "source": "kam193",
+        "sha256": "0a25418866ddab42755c1e981f2db0a0b6a8f49fc0635ee981ee6c36dff35b09",
+        "import_time": "2026-03-23T20:16:57.84683842Z",
+        "id": "pypi/2026-02-urllib-slim/financial-crimes-general-utils",
+        "modified_time": "2026-03-23T13:56:01.921236Z",
+        "versions": [
+          "3.9.12"
+        ]
+      }
+    ]
+  }
+}
@@ -0,0 +1,76 @@
+{
+  "modified": "2026-03-23T14:03:21Z",
+  "published": "2026-03-23T14:03:21Z",
+  "schema_version": "1.7.4",
+  "id": "",
+  "summary": "Malicious code in modelconftranslator (PyPI)",
+  "details": "In specific environments, during installation, the package attempts to exfiltrate some basic information using DNS requests and then cover tracks by installing a similarly named package from the local private repository\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-02-urllib-slim\n\n\nReasons (based on the campaign):\n\n\n - typosquatting\n\n\n - Downloads and executes a remote executable.\n\n\n - obfuscation\n\n\n - dependency-confusion\n\n",
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "modelconftranslator"
+      },
+      "versions": [
+        "8.13.4"
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "EVIDENCE",
+      "url": "https://www.virustotal.com/gui/file/d6029cce705b3842042106efb737c8b14eb736fdbfb8d0d03c3dfbc8d6c207a5?nocache=1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/loudpage5125"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/geekennedy/"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/GCLNS"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bad-packages.kam193.eu/pypi/package/modelconftranslator"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Kamil Mańkowski (kam193)",
+      "type": "REPORTER",
+      "contact": [
+        "https://github.com/kam193",
+        "https://bad-packages.kam193.eu/"
+      ]
+    }
+  ],
+  "database_specific": {
+    "iocs": {
+      "domains": [
+        "1r.vc",
+        "i.1r.vc"
+      ],
+      "urls": [
+        "https://storage.googleapis.com/py-pi/python_mac",
+        "https://storage.googleapis.com/py-pi/python_rhel",
+        "https://storage.googleapis.com/py-pi/python_win"
+      ]
+    },
+    "malicious-packages-origins": [
+      {
+        "source": "kam193",
+        "sha256": "e1d918db23be048d16eb2c61f1dd164b1e752aa80565b7a01fa31cda7cdf3115",
+        "import_time": "2026-03-23T20:16:57.847635024Z",
+        "id": "pypi/2026-02-urllib-slim/modelconftranslator",
+        "modified_time": "2026-03-23T14:03:21.631203Z",
+        "versions": [
+          "8.13.4"
+        ]
+      }
+    ]
+  }
+}