{"id":"MAL-2026-6233","summary":"Malicious code in fluent-dashboard-panel-metrics (PyPI)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (9e745c609fb43daaa93911ae2edcb05b1ffd3cec1c6ec55c321597e9e39eb153)\nfluent_panel_metrics/__init__.py defines an undocumented function `_bootstrap_runtime_profile()` and invokes it unconditionally at module top level. The function opens a TCP socket to 34.69.137.236 on port 80/443, duplicates the socket file descriptor over stdin/stdout/stderr via os.dup2, and execs `/bin/sh -i` via subprocess.call, handing an interactive shell to the remote endpoint. The function is not listed in `__all__` and is not referenced in the README, which advertises the package as a dashboard panel/grid helper (PanelGrid, normalize_margin, scale_for_breakpoint, panel_version). Any process that imports this package — including build systems, test runners, or downstream applications — will establish a reverse shell to the attacker on a default install + import. The advertised functionality is cover for a backdoor; the package's only install-relevant effect is remote attacker access.\n\n## Source: kam193 (7b6ebe4856f2e752a8a410e04066fe9549c08c220567169c2a50f9d50a328031)\nDuring import, the package starts a reverse shell.\n\n\n---\n\nCategory: MALICIOUS - The campaign has clearly malicious intent, like infostealers.\n\n\nCampaign: 2026-06-acme-widget-layout-utils\n\n\nReasons (based on the campaign):\n\n\n - The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine.\n","modified":"2026-06-20T03:31:00.636601707Z","published":"2026-06-20T01:07:05Z","database_specific":{"iocs":{"ips":["34.69.137.236"]},"malicious-packages-origins":[{"import_time":"2026-06-20T01:50:18.846151341Z","source":"kam193","modified_time":"2026-06-20T01:07:05.776226Z","id":"pypi/2026-06-acme-widget-layout-utils/fluent-dashboard-panel-metrics","sha256":"7b6ebe4856f2e752a8a410e04066fe9549c08c220567169c2a50f9d50a328031","versions":["0.1.0"]},{"id":"IN-MAL-2026-007089","source":"amazon-inspector","modified_time":"2026-06-20T03:10:32Z","import_time":"2026-06-20T03:14:16.688019942Z","sha256":"9e745c609fb43daaa93911ae2edcb05b1ffd3cec1c6ec55c321597e9e39eb153","versions":["0.1.0"]}]},"references":[{"type":"WEB","url":"https://bad-packages.kam193.eu/pypi/package/fluent-dashboard-panel-metrics"},{"type":"PACKAGE","url":"https://pypi.org/project/fluent-dashboard-panel-metrics/0.1.0/"}],"affected":[{"package":{"name":"fluent-dashboard-panel-metrics","ecosystem":"PyPI","purl":"pkg:pypi/fluent-dashboard-panel-metrics"},"versions":["0.1.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/fluent-dashboard-panel-metrics/MAL-2026-6233.json","indicators":{"evidence_files":[{"tlsh":"6431ed56ed34d5abd573da2628d3a0427b1669831a8824bb3fbcc3241f130a756f1dec","path":"fluent_panel_metrics/__init__.py","sha256":"4be270eb047f8f6bed6bd8d162034d0d70546d95583b00fab187200cea6e8e3b"}],"package_integrity":[{"hashes":{"md5":"8e5171bd7cc73d981c83bdc9f042db86","blake2b_256":"861504c9b7fbe2b6f595ee8ee4fda691b74c96083a79711f9e5e05d05f57c370","sha256":"d75fd47e46d3c77e115620b5b5cac689c4081dff7db9838f8d783884450d1435"},"filename":"fluent_dashboard_panel_metrics-0.1.0-py3-none-any.whl"}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"},{"name":"Kamil Mańkowski (kam193)","contact":["https://github.com/kam193","https://bad-packages.kam193.eu/"],"type":"REPORTER"}]}