MALICIOUS (1) package from Python Package Index.
- The campaign has clearly malicious intent, like infostealers.
haproxy-config-client¶
Affected versions: (1) 8.5.3
- Version numbers are usually added automatically. In most cases, the packages listed here were created only to distribute malicious code.
Campaign data¶
Campaign information may not always be 100% accurate for every related package.
Campaign description
During installation the obfuscated code downloads a malicious executable from a remote location. Code is designed to survive different blocks: first, there is an attempt to download the executable from one of five Cloudflare Workers. If it's not successful, the code falls back to download using DNS: first, it gets a TXT record from c.lin.dl.wel1[.]ru. This record returns a number, which is then used to iterate over domains in the form <0...n>.lin.dl.wel1[.]r and reconstruct the encoded executable from their TXT records. The executable is finally saved under a partially random name, executed, and removed after execution. The Linux executable contacts a few domains, but there is no more detailed information about its behavior available.
See more details on the campaign page.
covering-tracks
The package contains code to cover its tracks, e.g. by deleting malicious code after execution.
dependency-confusion
An attempt to exploit dependency confusion
malware
Package contains or installs known malware.
obfuscation
Code uses obfuscation techniques to hide its true purpose.
other
Campaign targets other.
override_install
The package overrides the install command in setup.py to execute malicious code during installation.
remote_executable
Downloads and executes a remote executable.
targetted-attack
Campaign targets targetted-attack.
Look up in other services¶
- Check metadata in pypi-data project (1)
- Search for the package in deps.dev(2)
- Search for the package in socket.dev (3)
- Search for the package in secure.software (4)
- Search for the package in Snyk Advisor (5)
- May not be available. See more in pypi-json-data repository.
- Open Source Insights project, provided by Google.
- Service from Socket.dev, a cybersecurity company.
- Spectra Assure Community, a service from ReversingLabs, a cybersecurity company.
- Service from Snyk, a cybersecurity company.