pypi · Malicious package advisory
Malwarehaproxy-config-client
MAL-2026-6748
Malicious code in haproxy-config-client (PyPI)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (6f86ffde45262c5d45a24458a85116ab5ca80451ce3d3159f9d7cad6599ad145)
setup.py registers install, develop, and egg_info command hooks that run a routine which XOR-0x5A-decodes a list of attacker-controlled Cloudflare Workers hostnames (package-proxy.cf5oobworker.workers.dev and four sibling *.workers.dev hosts) and a URL path (/pkg/package), downloads opaque bytes over HTTPS, writes them to /var/tmp/.cache_<random>, chmods 0755, and spawns the binary detached via subprocess.Popen with start_new_session=True. If HTTPS fetch fails, it falls back to a DNS covert channel: raw DNS TXT queries against `*.lin.dl.wel1.ru` reassemble a base64 payload from serial subdomain lookups, which is then decoded and executed. All C2 hostnames, the URL path, and dynamic-import module names ('base64', 'b64decode', 'b32encode') are XOR-obfuscated byte literals whose only purpose is to hide the destinations from review. The hook is wired into egg_info as well as install/develop, so the payload fires during `pip install` and even during metadata-only operations. The package itself has no real functionality — src/haproxy_config_client/__init__.py contains only a __version__ string — and its name plus 'Internal service utilities' summary and 'TBank Engineering' author label are consistent with a dependency-confusion vehicle targeting an internal ops utility.
## Source: kam193 (f70d07844bca4fadfcedb195f5768c8a95318af4d62a4bcec94556b99b72c4ad)
During installation the obfuscated code downloads a malicious executable from a remote location. Code is designed to survive different blocks: first, there is an attempt to download the executable from one of five Cloudflare Workers. If it's not successful, the code falls back to download using DNS: first, it gets a TXT record from c.lin.dl.wel1[.]ru. This record returns a number, which is then used to iterate over domains in the form <0...n>.lin.dl.wel1[.]r and reconstruct the encoded executable from their TXT records. The executable is finally saved under a partially random name, executed, and removed after execution. The Linux executable contacts a few domains, but there is no more detailed information about its behavior available.
---
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-07-haproxy-config-client
Reasons (based on the campaign):
- The package overrides the install command in setup.py to execute malicious code during installation.
- Downloads and executes a remote executable.
- obfuscation
- dependency-confusion
- other
- malware
- covering-tracks
- targetted-attack
- data-stored-in-dns
Compromised versions (1)
- 8.5.3
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.