{"id":"MAL-2026-3693","summary":"Malicious code in kaggle-runner (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (8dcd49ca70b987b236ba4341d839addfec9afb344e1471195f2f825281092f71)\nkaggle_runner/coordinator.py embeds a bash reverse-shell template (rvs_str) that connects to vtool.duckdns.org:23454 via ncat with retry/backoff plus a heartbeat channel on port 23455. When a consumer calls Coordinator.create_runner(config), the package writes rvs.sh alongside entry.sh/runner.sh/setup_pty/gdrive_setup into a kernel folder; Coordinator.run_local() then executes `python main.py`, which invokes `bash -x entry.sh`, which in turn backgrounds rvs.sh — opening an interactive shell from the runner's host back to the author-controlled duckdns.org subdomain. The same bundle wgets a gdrive binary from github.com/gdrive-org/gdrive/releases/download/2.1.0/gdrive-linux-x64 and installs it to /bin/gdrive. None of this behavior is documented in the README (which advertises AMQP logging for Kaggle kernels). The reverse shell does not fire at import/install time — setup.py and __init__.py are clean — but it fires as part of the package's advertised Coordinator API flow, so any consumer who actually uses the library exposes the executing host (their machine or a Kaggle kernel they push) to the author. A separate file (kaggle_runner/utils/utils.py) also hardcodes CloudAMQP credentials (termite.rmq.cloudamqp.com / drdsfaew) with a comment 'oh~ just give my password out~' — this is author self-harm and on its own would be allow, but combined with the reverse-shell pipe to a duckdns C2 host, the installer-side impact is clear.\n","modified":"2026-05-13T20:22:39.506529Z","published":"2026-05-12T11:39:04Z","database_specific":{"malicious-packages-origins":[{"id":"IN-MAL-2026-002524","modified_time":"2026-05-12T19:03:07Z","versions":["0.0.2"],"sha256":"8dcd49ca70b987b236ba4341d839addfec9afb344e1471195f2f825281092f71","source":"amazon-inspector","import_time":"2026-05-13T20:10:59.625163518Z"}]},"references":[{"type":"PACKAGE","url":"https://pypi.org/project/kaggle-runner/0.0.2/"}],"affected":[{"package":{"name":"kaggle-runner","ecosystem":"PyPI","purl":"pkg:pypi/kaggle-runner"},"versions":["0.0.2"],"database_specific":{"indicators":{"evidence_files":[{"sha256":"c1f7a17586b660e76fef8aad913582151c1543b9a16295827c1d6959010b239b","tlsh":"99820703846a1b30a7d35898944793a82b95ec6717626c1272fcb3606f25378d1fb3fa","path":"kaggle_runner/coordinator.py"},{"sha256":"1e839d5791497cdec65ec2bb39c9e020455f4ec2b00da39097a51d9d0831c1eb","tlsh":"ba216a516317d84c20aa62525c26762178b8d50b8908f87836bd93042f1fcaec5f5da5","path":"kaggle_runner/utils/utils.py"}],"package_integrity":[{"filename":"kaggle_runner-0.0.2-py3-none-any.whl","hashes":{"sha256":"1933f25867446dbf3841aa0f5ae17d3c2531c2ccb0756bd7837a2e03c1101282","md5":"1f7a609aae6cbe3e9fb95f9f97f1cad4","blake2b_256":"dee805394b0645cb915b45b17db2962095e52d7e1b19acada5e309a1c3df73b0"}},{"filename":"kaggle_runner-0.0.2.tar.gz","hashes":{"sha256":"a16105cc549bd500e214298b237b6ac1c1c123ff2f7de59f364249c753a70a67","md5":"1128e0a6ade04d902944d6430b145995","blake2b_256":"92631de2a6f61f5337c9f69a5bd970c830fc956a735ac83e254581b67605ed18"}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/kaggle-runner/MAL-2026-3693.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["actran@amazon.com"],"type":"FINDER"}]}