-= Per source details. Do not edit below this line.=-
kagglerunner/coordinator.py embeds a bash reverse-shell template (rvsstr) that connects to vtool.duckdns.org:23454 via ncat with retry/backoff plus a heartbeat channel on port 23455. When a consumer calls Coordinator.createrunner(config), the package writes rvs.sh alongside entry.sh/runner.sh/setuppty/gdrivesetup into a kernel folder; Coordinator.runlocal() then executes python main.py, which invokes bash -x entry.sh, which in turn backgrounds rvs.sh — opening an interactive shell from the runner's host back to the author-controlled duckdns.org subdomain. The same bundle wgets a gdrive binary from github.com/gdrive-org/gdrive/releases/download/2.1.0/gdrive-linux-x64 and installs it to /bin/gdrive. None of this behavior is documented in the README (which advertises AMQP logging for Kaggle kernels). The reverse shell does not fire at import/install time — setup.py and init.py are clean — but it fires as part of the package's advertised Coordinator API flow, so any consumer who actually uses the library exposes the executing host (their machine or a Kaggle kernel they push) to the author. A separate file (kaggle_runner/utils/utils.py) also hardcodes CloudAMQP credentials (termite.rmq.cloudamqp.com / drdsfaew) with a comment 'oh~ just give my password out~' — this is author self-harm and on its own would be allow, but combined with the reverse-shell pipe to a duckdns C2 host, the installer-side impact is clear.
{
"malicious-packages-origins": [
{
"versions": [
"0.0.2"
],
"sha256": "8dcd49ca70b987b236ba4341d839addfec9afb344e1471195f2f825281092f71",
"modified_time": "2026-05-12T19:03:07Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-002524",
"import_time": "2026-05-13T20:10:59.625163518Z"
}
]
}{
"package_integrity": [
{
"filename": "kaggle_runner-0.0.2-py3-none-any.whl",
"hashes": {
"sha256": "1933f25867446dbf3841aa0f5ae17d3c2531c2ccb0756bd7837a2e03c1101282",
"md5": "1f7a609aae6cbe3e9fb95f9f97f1cad4",
"blake2b_256": "dee805394b0645cb915b45b17db2962095e52d7e1b19acada5e309a1c3df73b0"
}
},
{
"filename": "kaggle_runner-0.0.2.tar.gz",
"hashes": {
"sha256": "a16105cc549bd500e214298b237b6ac1c1c123ff2f7de59f364249c753a70a67",
"md5": "1128e0a6ade04d902944d6430b145995",
"blake2b_256": "92631de2a6f61f5337c9f69a5bd970c830fc956a735ac83e254581b67605ed18"
}
}
],
"evidence_files": [
{
"sha256": "c1f7a17586b660e76fef8aad913582151c1543b9a16295827c1d6959010b239b",
"path": "kaggle_runner/coordinator.py",
"tlsh": "99820703846a1b30a7d35898944793a82b95ec6717626c1272fcb3606f25378d1fb3fa"
},
{
"sha256": "1e839d5791497cdec65ec2bb39c9e020455f4ec2b00da39097a51d9d0831c1eb",
"path": "kaggle_runner/utils/utils.py",
"tlsh": "ba216a516317d84c20aa62525c26762178b8d50b8908f87836bd93042f1fcaec5f5da5"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/kaggle-runner/MAL-2026-3693.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]