MAL-2026-6182
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/fluent-panel-metrics/MAL-2026-6182.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6182
- Published
- 2026-06-19T00:53:01Z
- Modified
- 2026-06-19T05:31:48.253544322Z
- Summary
- Malicious code in fluent-panel-metrics (PyPI)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (95598f66d3e0a4ecbfe9dcd01c1d5f0be9b78bee23b200758a92dac8f8a00d9e)
fluentpanelmetrics/init.py defines bootstrapruntimeprofile() and invokes it unconditionally at module load. The function opens a TCP socket to the hardcoded IP 34.69.137.236 on port 443 (with fallback to port 80), duplicates the socket file descriptor onto stdin/stdout/stderr via os.dup2, and execs /bin/sh -i via subprocess.call — a textbook interactive reverse shell. Any process that runs
import fluent_panel_metricshands an interactive shell to the remote endpoint. The package's METADATA advertises it as a small dashboard layout helper (PanelGrid, normalizemargin, scaleforbreakpoint) with no documented network behavior, and the reverse-shell call is not referenced in all, README, or metadata — a cover-story package whose only real effect is the backdoor.Source: kam193 (5070e6c32009ce1bb1f2f499ab4e0012123e7aeed52828d107825ecdacd6d678)
During import, the package starts a reverse shell.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-06-acme-widget-layout-utils
Reasons (based on the campaign):
- The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine.
- Database specific
{ "malicious-packages-origins": [ { "sha256": "5070e6c32009ce1bb1f2f499ab4e0012123e7aeed52828d107825ecdacd6d678", "source": "kam193", "modified_time": "2026-06-19T00:53:01.085019Z", "versions": [ "0.1.0" ], "id": "pypi/2026-06-acme-widget-layout-utils/fluent-panel-metrics", "import_time": "2026-06-19T01:39:42.167356333Z" }, { "sha256": "95598f66d3e0a4ecbfe9dcd01c1d5f0be9b78bee23b200758a92dac8f8a00d9e", "source": "amazon-inspector", "modified_time": "2026-06-19T03:45:35Z", "id": "IN-MAL-2026-007040", "versions": [ "0.1.0" ], "import_time": "2026-06-19T05:16:47.960349876Z" } ], "iocs": { "ips": [ "34.69.137.236" ] } }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- Kamil Mańkowski (kam193) - REPORTER
-
Affected packages
PyPI / fluent-panel-metrics
Package
- Name
- fluent-panel-metrics
- View open source insights on deps.dev
- Purl
- pkg:pypi/fluent-panel-metrics
Database specific
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/fluent-panel-metrics/MAL-2026-6182.json"
indicators
{
"evidence_files": [
{
"sha256": "2785cc899f0f97ab4c9f29b81fe147b4ffe79dbc400797c8b61d7d6e2aad7f00",
"tlsh": "7d31ce52ed3595abd573da2624d7a0427b066a831a4824ba3fac83241f130a656f1dec",
"path": "fluent_panel_metrics/__init__.py"
},
{
"sha256": "f124b1491868296b89bc5e226997a0aa9f6fbd56d1aeed055219fea57b38f4e2",
"tlsh": "09f02d4aa654e2dec63bc37ac0de2150092e0ff06241ceda0e588270cb010c62177330",
"path": "fluent_panel_metrics-0.1.0.dist-info/METADATA"
}
],
"package_integrity": [
{
"hashes": {
"sha256": "9e79ada6e0d8ef238629beb68e277216d43cfddd8792ce0d232c40b4b840d35b",
"blake2b_256": "673d8bcfd7d0a176fa62721788593ef6a884edd7f03b07ec4d05bc28b1b31d66",
"md5": "d2dedb999ec6534361e7187e7de17ec0"
},
"filename": "fluent_panel_metrics-0.1.0-py3-none-any.whl"
}
]
}