MAL-2025-923
Malicious code in fflask (PyPI)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: ghsa-malware (125471d3fb13da284e2a1e6f08627065506454ba819af239105d536da0854c74) ## Source: kam193 (106052056ac243ab1b11c7bbf3a04ff9f1b408cf92616fa635242b4230490d2f) Importing the module downloads and starts an infostealer attempting to exfiltrate data and establishing persistence through autorun directory.
---
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2024-12-reqesst
Reasons (based on the campaign):
- infostealer
- peristence-autorun
- typosquatting
- exfiltration-generic
- Downloads and executes a remote executable.
- clones-real-package
- dependency-confusion
- exfiltration-browser-data
- exfiltration-crypto
---
Credit: [OpenSSF](https://github.com/ossf/malicious-packages) ([source](https://github.com/ossf/malicious-packages/blob/88c73798a8559379079a46c613bf17f15981dcdc/osv/malicious/pypi/fflask/MAL-2025-923.json))
## Source: kam193 (106052056ac243ab1b11c7bbf3a04ff9f1b408cf92616fa635242b4230490d2f) Importing the module downloads and starts an infostealer attempting to exfiltrate data and establishing persistence through autorun directory.
---
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2024-12-reqesst
Reasons (based on the campaign):
- infostealer
- peristence-autorun
- typosquatting
- exfiltration-generic
- Downloads and executes a remote executable.
- clones-real-package
- dependency-confusion
- exfiltration-browser-data
- exfiltration-crypto
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for fflask (pip). Pin to a known-safe version or switch to an alternative.
References
- https://www.virustotal.com/gui/file/0736a1f176f081a076b2cba3b54e1cb1462fe1a01be16144397bbc0d4739d01a [EVIDENCE]
- https://www.virustotal.com/gui/file/56ed3b8ca17b00ee8e7a1cb13298e5b12fd1771c24b33b9a84ba92b0610279e5 [EVIDENCE]
- https://bad-packages.kam193.eu/pypi/package/fflask [WEB]
- https://www.virustotal.com/gui/file/0736a1f176f081a076b2cba3b54e1cb1462fe1a01be16144397bbc0d4739d01a [WEB]
- https://www.virustotal.com/gui/file/56ed3b8ca17b00ee8e7a1cb13298e5b12fd1771c24b33b9a84ba92b0610279e5 [WEB]
- https://github.com/advisories/GHSA-mpw9-j6mm-f9gc [ADVISORY]