-= Per source details. Do not edit below this line.=-
The package is published on PyPI as proxy-checker-j with the summary 'packaged command for running the bundled qsshd executable', but its actual payload is a Go SSH daemon (qsshd) that opens persistent remote shell access to the installer's host. On execution the daemon dials out to a relay controlled through github.com/mydearniko/overthing and forwards inbound connections to a loopback SSH listener. The SSH listener's PublicKeyCallback authorizes only a single ed25519 public key embedded via //go:embed authorized_keys; any party holding the matching private key gets full interactive shell/PTY (shell.Run), arbitrary command execution (shell.RunExec spawning /bin/bash), direct-tcpip, and tcpip-forward port forwarding on the host. Persistence is established by generating a stable device identity on first run and writing it to ~/.config/.device_lock, /dev/shm/.device_lock, and /tmp/.device_lock, pinning the host as a durable target reachable through the relay across restarts. The reverse-tunnel design lets the operator reach the host through NAT and firewalls. The advertised 'proxy checker' purpose does not match the shipped functionality; the naming is a cover story for a remote-access backdoor.
The embedded binary starts a relayed SSH-like server using a hardcoded authorized_key. Thanks to using a relay network, the attacked does not need to directly expose ports from the machine.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-07-proxy-check-i
Reasons (based on the campaign):
backdoor
The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.
{
"malicious-packages-origins": [
{
"source": "amazon-inspector",
"id": "IN-MAL-2026-010589",
"import_time": "2026-07-15T01:37:34.697298146Z",
"sha256": "4316f8f54acc92939cdf73074666eecab7d5e680c7c4ad572ad3164671aa19dc",
"versions": [
"0.1.0"
],
"modified_time": "2026-07-15T00:39:23Z"
},
{
"id": "pypi/2026-07-proxy-check-i/proxy-checker-j",
"source": "kam193",
"import_time": "2026-07-15T00:34:13.280795403Z",
"sha256": "8bbbe85539f267e6bac84fa2d7653392c9235106e5f97e124f06eda25cffb38c",
"versions": [
"0.1.0"
],
"modified_time": "2026-07-14T23:58:43.286437Z"
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/proxy-checker-j/MAL-2026-10644.json"
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "proxy_checker_j-0.1.0-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl",
"hashes": {
"blake2b_256": "d78022c8b0e054479bfbf5e91da8e7e6e18f64eccdcb1de3d6802fedf9085411",
"sha256": "33e0f0c7b3a6b16f3e7d7d42ec70581ea72e886a3dd9e82afbb5aeab62b6b3cc",
"md5": "d8e6dde81b7d2be1326d011e287a603a"
}
},
{
"filename": "proxy_checker_j-0.1.0.tar.gz",
"hashes": {
"blake2b_256": "52fb7e96091868e70495b1620653b2b409964626cbcf8c8f38362c9271a1081a",
"sha256": "5473e90c51f57746065ac32615963616ec964c3b01d43bde6146053fad50b7e0",
"md5": "3ee838f5cfab35c89106a712c2245e72"
}
}
],
"evidence_files": [
{
"path": "internal/sshd/server.go",
"sha256": "1a2bdcc78ae0ee20c7624711f9d1777598a55c8e1f5ed15f0f2adf26c9ab438e",
"tlsh": "338167d1fe6f097dea95600c8c4185f95abdd5b2a53c00f294d8f7b9119f09f8328694"
},
{
"path": "cmd/qsshd/main.go",
"sha256": "11b62bdf63eded55b9f9140dc0751043eec98464a1cc7c6cd6023c0056085ec1",
"tlsh": "0b82a5e2ebbd45160b921068dc549559effcd0394a3890f9f498a2fb308c59fc1bdac6"
},
{
"path": "PKG-INFO",
"sha256": "650aad67547ffdfee6276674b33a394304cf9d375c418ca56eafb83d1290a40c",
"tlsh": "89d02ba56381b1b0b0a98ac5010c5b91446bc142668915d6c9e21ecb0d8d26883db030"
}
]
}