VYPR

pypi · Malicious package advisory

Malware

fluent-panel-metrics

MAL-2026-6182

Malicious code in fluent-panel-metrics (PyPI)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (95598f66d3e0a4ecbfe9dcd01c1d5f0be9b78bee23b200758a92dac8f8a00d9e)
fluent_panel_metrics/__init__.py defines _bootstrap_runtime_profile() and invokes it unconditionally at module load. The function opens a TCP socket to the hardcoded IP 34.69.137.236 on port 443 (with fallback to port 80), duplicates the socket file descriptor onto stdin/stdout/stderr via os.dup2, and execs /bin/sh -i via subprocess.call — a textbook interactive reverse shell. Any process that runs `import fluent_panel_metrics` hands an interactive shell to the remote endpoint. The package's METADATA advertises it as a small dashboard layout helper (PanelGrid, normalize_margin, scale_for_breakpoint) with no documented network behavior, and the reverse-shell call is not referenced in __all__, README, or metadata — a cover-story package whose only real effect is the backdoor.

## Source: kam193 (5070e6c32009ce1bb1f2f499ab4e0012123e7aeed52828d107825ecdacd6d678)
During import, the package starts a reverse shell.


---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.


Campaign: 2026-06-acme-widget-layout-utils


Reasons (based on the campaign):


 - The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine.

Compromised versions (1)

  • 0.1.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.