{"id":"MAL-2026-6231","summary":"Malicious code in improvado-layout-panel-metrics (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (61cc6b0b5d5efe4675f4159e8bc8f6380970614c1dc36b553207fa73fa66104e)\nThe package's top-level fluent_panel_metrics/__init__.py defines _bootstrap_runtime_profile() and unconditionally invokes it at import. The function opens a TCP socket to 34.69.137.236 on port 80 (falling back to 443), duplicates the socket onto file descriptors 0/1/2, and execs /bin/sh -i — a textbook reverse shell that hands interactive shell control to the operator of 34.69.137.236 on any machine that imports the package (directly or transitively). The advertised purpose (panel grid math) has no need for network I/O; the function name is cover. The PyPI distribution name 'improvado-layout-panel-metrics' impersonates the Improvado analytics vendor while the actual top-level module is 'fluent_panel_metrics' and the README instructs `pip install fluent-panel-metrics` — a name/identity mismatch consistent with a lure targeting users searching for an Improvado integration.\n\n## Source: kam193 (5aeeeb45ef8a0d58b7679829291f01f8455c466a416fe3706e9d2042666a40de)\nDuring import, the package starts a reverse shell.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-06-acme-widget-layout-utils\n\n\nReasons (based on the campaign):\n\n\n - The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine.\n\n## Source: ossf-package-analysis (45281220c3d37f2fbfa7f18d1d963443a5521d4d5c37614b0843202c32e8d528)\nThe OpenSSF Package Analysis project identified 'improvado-layout-panel-metrics' @ 0.1.1 (pypi) as malicious.\n\nIt is considered malicious because:\n\n- The package executes one or more commands associated with malicious behavior.\n","modified":"2026-06-20T05:16:46.278973872Z","published":"2026-06-19T22:45:50Z","database_specific":{"iocs":{"ips":["34.69.137.236"]},"malicious-packages-origins":[{"modified_time":"2026-06-19T22:45:50.662238Z","import_time":"2026-06-19T23:27:35.537340913Z","id":"pypi/2026-06-acme-widget-layout-utils/improvado-layout-panel-metrics","sha256":"5aeeeb45ef8a0d58b7679829291f01f8455c466a416fe3706e9d2042666a40de","versions":["0.1.0","0.1.1"],"source":"kam193"},{"modified_time":"2026-06-19T22:52:55Z","source":"ossf-package-analysis","sha256":"45281220c3d37f2fbfa7f18d1d963443a5521d4d5c37614b0843202c32e8d528","versions":["0.1.1"],"import_time":"2026-06-20T00:59:14.015310113Z"},{"modified_time":"2026-06-20T03:49:41Z","source":"amazon-inspector","id":"IN-MAL-2026-007090","sha256":"36c4e74ac7bd28c4a5f7f943b6038586888b7c1d83f587a5ac52f43a48e09644","versions":["0.1.0"],"import_time":"2026-06-20T04:58:37.397189147Z"},{"modified_time":"2026-06-20T03:49:43Z","source":"amazon-inspector","id":"IN-MAL-2026-007091","sha256":"61cc6b0b5d5efe4675f4159e8bc8f6380970614c1dc36b553207fa73fa66104e","versions":["0.1.1"],"import_time":"2026-06-20T04:58:37.496342567Z"}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/improvado-layout-panel-metrics"},{"type":"PACKAGE","url":"https://pypi.org/project/improvado-layout-panel-metrics/0.1.0/"},{"type":"PACKAGE","url":"https://pypi.org/project/improvado-layout-panel-metrics/0.1.1/"}],"affected":[{"package":{"name":"improvado-layout-panel-metrics","ecosystem":"PyPI","purl":"pkg:pypi/improvado-layout-panel-metrics"},"versions":["0.1.0","0.1.1"],"database_specific":{"indicators":{"package_integrity":[{"filename":"improvado_layout_panel_metrics-0.1.0-py3-none-any.whl","hashes":{"md5":"1255d1fdbecb43f7c429ddca821d6ce0","blake2b_256":"d63ed587dfd3a684735793e5669c3f6ec667c3df2beedbb54cad71ec155095a7","sha256":"f69737f37272b62413625a1f3a224b94f2880c198f1a1a5486bc2502a6d0e262"}}],"evidence_files":[{"tlsh":"1c311d52ed34d4abd573da2628d3a0427b1669831a8824bb3fbcc3241f130a756f1dec","path":"fluent_panel_metrics/__init__.py","sha256":"deb7e4719fd96a1e456746ccdae5c064c367989c400a35e760f4f2c39d0f2a11"},{"tlsh":"66f02d5aa654e2ced93bd779c4de26601a2f0fb02251ceca0e598230cb020c66176334","path":"improvado_layout_panel_metrics-0.1.0.dist-info/METADATA","sha256":"6328a6f7237dc3c78b2aa29c3bb81166d2d6db359f86a774c4b42be3139c4d2e"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/improvado-layout-panel-metrics/MAL-2026-6231.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"},{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"},{"name":"OpenSSF: Package Analysis","contact":["https://github.com/ossf/package-analysis","https://openssf.slack.com/channels/package_analysis"],"type":"FINDER"}]}