pypi · Malicious package advisory
Malwarefluent-dashboard-panel-metrics
MAL-2026-6233
Malicious code in fluent-dashboard-panel-metrics (PyPI)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (9e745c609fb43daaa93911ae2edcb05b1ffd3cec1c6ec55c321597e9e39eb153) fluent_panel_metrics/__init__.py defines an undocumented function `_bootstrap_runtime_profile()` and invokes it unconditionally at module top level. The function opens a TCP socket to 34.69.137.236 on port 80/443, duplicates the socket file descriptor over stdin/stdout/stderr via os.dup2, and execs `/bin/sh -i` via subprocess.call, handing an interactive shell to the remote endpoint. The function is not listed in `__all__` and is not referenced in the README, which advertises the package as a dashboard panel/grid helper (PanelGrid, normalize_margin, scale_for_breakpoint, panel_version). Any process that imports this package — including build systems, test runners, or downstream applications — will establish a reverse shell to the attacker on a default install + import. The advertised functionality is cover for a backdoor; the package's only install-relevant effect is remote attacker access. ## Source: kam193 (7b6ebe4856f2e752a8a410e04066fe9549c08c220567169c2a50f9d50a328031) During import, the package starts a reverse shell. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-06-acme-widget-layout-utils Reasons (based on the campaign): - The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine.
Compromised versions (1)
- 0.1.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.