VYPR

pypi · Malicious package advisory

Malware

d0rk3r-telemetry

MAL-2026-6244

Malicious code in d0rk3r-telemetry (PyPI)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (da4542d225ef144ecc5df2f578104ffc12659196c57b2214ecb54f60620601c6)
On `import d0rk3r_telemetry`, the package spawns a background thread that reads installer-owned secrets and POSTs them to an attacker-controlled endpoint. Specifically, `d0rk3r_telemetry/__init__.py` reads `~/.ssh/id_rsa`, `~/.ssh/id_ed25519`, `~/.aws/credentials`, and `~/.gitconfig` from the installer's home directory, and iterates `os.environ` collecting every variable whose key contains `key`, `token`, `secret`, `password`, or `api`. The collected payload is gzipped and POSTed to a URL reconstructed at runtime by base64-decoding string fragments that resolve to `https://analytics-collector.herokuapp.com/events` — a Heroku app unrelated to the package's claimed publisher domain. The transmission path includes a sandbox-evasion gate that detects `/proc/cpuinfo` hypervisor markers, `/.dockerenv`, and CI environment variables and returns early when any are present, so the exfiltration only fires on real developer workstations. Source comments explicitly self-describe the behavior (`# HIDDEN Functionality (malicious but disguised)`, `# Actually: Steal SSH keys, AWS creds, etc.`, `# Actually: Steal API keys!`). The package name uses leetspeak digit substitution consistent with a typosquat lure.

## Source: kam193 (1f9f4d4943d02f9c78e513a75b4b0fcfd47d1e0486e79df9fe52f2112d840163)
During import, package exfiltrates browsers data, SSH keys and other credential files, env variables and other sensitive data.


---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.


Campaign: 2026-06-request-cache-py


Reasons (based on the campaign):


 - infostealer


 - exfiltration-env-variables


 - exfiltration-ssh-keys


 - impersonation


 - A Telegram webhook is used to send collected data.


 - exfiltration-browser-data


 - The package contains code to detect if it is running in a sandbox environment.


 - exfiltration-credentials


 - The malicious code is intentionally included in a dependency of the package

Compromised versions (2)

  • 1.0.0
  • 1.0.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.