{"id":"MAL-2026-5532","summary":"Malicious code in icinga (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (fbedb312e9cfe0f5cc7783487adc963f142ebcaefa0fb9305a9a535f373b052d)\nPyPI package 'icinga' at version 99.1.0 is a dependency-confusion / typosquat lure against the Icinga monitoring project. It ships no real functionality (generic description 'Operational package utility', placeholder author 'Dev') and exists only to run an install-time beacon. setup.py defines a CustomInstall command that, after install.run(self), collects host identifiers (COMPUTERNAME / uname nodename, current working directory, OS info, and the internal IP obtained via a UDP socket trick to 8.8.8.8) and POSTs them as JSON, tagged 'pypi-tg' / 'icinga', to a base64-encoded URL (aHR0cHM6Ly9weXRob24tbG9nLmxhcHhhMzU0LndvcmtlcnMuZGV2Lw== → https://python-log.lapxa354.workers.dev/) decoded at runtime via base64.b64decode and dispatched with urllib.request.urlopen. Exceptions are suppressed to keep the install silent. The implausibly high version number (99.1.0) is a classic dependency-confusion technique to outrank legitimate internal mirrors of an 'icinga' name. Installer impact: any machine running `pip install icinga` (CI runner, developer workstation, internal build host) leaks its hostname, internal IP, working directory, and OS to the attacker — confirming the typosquat lands and seeding follow-up targeted attacks.\n\n## Source: kam193 (d9cccf2af56889eebe443b4e56066615f2524f1359a6dc8d7c3757edad319294)\nInstalling the package or importing the module exfiltrates basic information about the host, and the package has no other purpose.\n\n\n---\n\nCategory: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.\n\n\nCampaign: GENERIC-standard-pypi-install-pentest\n\n\nReasons (based on the campaign):\n\n\n - The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.\n\n\n - The package overrides the install command in setup.py to execute malicious code during installation.\n","modified":"2026-06-11T00:16:29.508295731Z","published":"2026-06-10T22:38:06Z","database_specific":{"malicious-packages-origins":[{"sha256":"d9cccf2af56889eebe443b4e56066615f2524f1359a6dc8d7c3757edad319294","import_time":"2026-06-10T23:05:20.293091847Z","modified_time":"2026-06-10T22:38:06.714183Z","versions":["99.1.0","99.2.0"],"source":"kam193","id":"pypi/GENERIC-standard-pypi-install-pentest/icinga"},{"sha256":"fabb684e6e03a2dbe24fdaf0e0ad5ef0f7713de8b90336c8a32acdd338239f3b","import_time":"2026-06-11T00:00:57.405525663Z","modified_time":"2026-06-10T23:33:17Z","versions":["99.2.0"],"source":"amazon-inspector","id":"IN-MAL-2026-005311"},{"sha256":"fbedb312e9cfe0f5cc7783487adc963f142ebcaefa0fb9305a9a535f373b052d","import_time":"2026-06-11T00:00:57.719247967Z","modified_time":"2026-06-10T23:33:32Z","versions":["99.1.0"],"source":"amazon-inspector","id":"IN-MAL-2026-005314"},{"sha256":"7c34cfe5b70b2aa01e8acb95ead7bd3d3fb21d34a5c970d93b9410f3c295ff1d","import_time":"2026-06-11T00:00:57.815478929Z","modified_time":"2026-06-10T23:33:32Z","versions":["99.1.0"],"source":"amazon-inspector","id":"IN-MAL-2026-005315"},{"sha256":"b55d1127d185fdb502e307fc56184adc01866e7f88d26e1eb8a1717d87bb1193","import_time":"2026-06-11T00:00:57.157211643Z","modified_time":"2026-06-10T23:33:17Z","versions":["99.2.0"],"source":"amazon-inspector","id":"IN-MAL-2026-005310"}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/icinga"},{"type":"PACKAGE","url":"https://pypi.org/project/icinga/99.1.0/"},{"type":"PACKAGE","url":"https://pypi.org/project/icinga/99.2.0/"}],"affected":[{"package":{"name":"icinga","ecosystem":"PyPI","purl":"pkg:pypi/icinga"},"versions":["99.1.0","99.2.0"],"database_specific":{"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"},{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/icinga/MAL-2026-5532.json","indicators":{"domains":["python-log.lapxa354.workers.dev"],"package_integrity":[{"hashes":{"sha256":"70ece41eeea5f609636c38c885de53063bde7e461546a404715b16a83d940231","blake2b_256":"185cd17d82182f6fcfcaa39fa4aac3c353b42bd77f04853c7a0d5f895e69797e","md5":"c88b47f1bfd100cfb45a11dd047d3dbe"},"filename":"icinga-99.1.0-py3-none-any.whl"},{"hashes":{"sha256":"07a5f39b0d3f0373fa74a9ec27af0ee32f5ad435c3a9eadc0c35d5ff8c1244dc","blake2b_256":"7a1eace24a9200bdfb829a13e4aa92002b91b767376987e479c77e7018f5d971","md5":"ba0cb0d0c1a7f2dfee0d3dfd437ec1f0"},"filename":"icinga-99.1.0.tar.gz"}],"evidence_files":[{"sha256":"2d80c9da7fedc7704680228b6d5077846a0d8c0ef3254d4b1c5042aa68d76457","path":"setup.py","tlsh":"0b312087dc3a1831b8b5836888134915f732760b1b03d86b7dfc27786f76424e822bb9"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}