MAL-2026-6231

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/improvado-layout-panel-metrics/MAL-2026-6231.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-6231

Published

2026-06-19T22:45:50Z

Modified

2026-06-20T05:16:46.278973872Z

Summary

Malicious code in improvado-layout-panel-metrics (PyPI)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (61cc6b0b5d5efe4675f4159e8bc8f6380970614c1dc36b553207fa73fa66104e)

The package's top-level fluentpanelmetrics/init.py defines bootstrapruntimeprofile() and unconditionally invokes it at import. The function opens a TCP socket to 34.69.137.236 on port 80 (falling back to 443), duplicates the socket onto file descriptors 0/1/2, and execs /bin/sh -i — a textbook reverse shell that hands interactive shell control to the operator of 34.69.137.236 on any machine that imports the package (directly or transitively). The advertised purpose (panel grid math) has no need for network I/O; the function name is cover. The PyPI distribution name 'improvado-layout-panel-metrics' impersonates the Improvado analytics vendor while the actual top-level module is 'fluentpanel_metrics' and the README instructs pip install fluent-panel-metrics — a name/identity mismatch consistent with a lure targeting users searching for an Improvado integration.

Source: kam193 (5aeeeb45ef8a0d58b7679829291f01f8455c466a416fe3706e9d2042666a40de)

During import, the package starts a reverse shell.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-acme-widget-layout-utils

Reasons (based on the campaign):

The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine.

Source: ossf-package-analysis (45281220c3d37f2fbfa7f18d1d963443a5521d4d5c37614b0843202c32e8d528)

The OpenSSF Package Analysis project identified 'improvado-layout-panel-metrics' @ 0.1.1 (pypi) as malicious.

It is considered malicious because:

The package executes one or more commands associated with malicious behavior.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "5aeeeb45ef8a0d58b7679829291f01f8455c466a416fe3706e9d2042666a40de",
            "source": "kam193",
            "modified_time": "2026-06-19T22:45:50.662238Z",
            "id": "pypi/2026-06-acme-widget-layout-utils/improvado-layout-panel-metrics",
            "versions": [
                "0.1.0",
                "0.1.1"
            ],
            "import_time": "2026-06-19T23:27:35.537340913Z"
        },
        {
            "sha256": "45281220c3d37f2fbfa7f18d1d963443a5521d4d5c37614b0843202c32e8d528",
            "source": "ossf-package-analysis",
            "modified_time": "2026-06-19T22:52:55Z",
            "versions": [
                "0.1.1"
            ],
            "import_time": "2026-06-20T00:59:14.015310113Z"
        },
        {
            "sha256": "36c4e74ac7bd28c4a5f7f943b6038586888b7c1d83f587a5ac52f43a48e09644",
            "source": "amazon-inspector",
            "modified_time": "2026-06-20T03:49:41Z",
            "versions": [
                "0.1.0"
            ],
            "id": "IN-MAL-2026-007090",
            "import_time": "2026-06-20T04:58:37.397189147Z"
        },
        {
            "sha256": "61cc6b0b5d5efe4675f4159e8bc8f6380970614c1dc36b553207fa73fa66104e",
            "source": "amazon-inspector",
            "modified_time": "2026-06-20T03:49:43Z",
            "versions": [
                "0.1.1"
            ],
            "id": "IN-MAL-2026-007091",
            "import_time": "2026-06-20T04:58:37.496342567Z"
        }
    ],
    "iocs": {
        "ips": [
            "34.69.137.236"
        ]
    }
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com
- Kamil Mańkowski (kam193) - REPORTER
- - https://github.com/kam193
  - https://bad-packages.kam193.eu/
- OpenSSF: Package Analysis - FINDER
- - https://github.com/ossf/package-analysis
  - https://openssf.slack.com/channels/package_analysis

Affected packages

PyPI / improvado-layout-panel-metrics

Package

Name: improvado-layout-panel-metrics; View open source insights on deps.dev
Purl: pkg:pypi/improvado-layout-panel-metrics

Affected ranges

Affected versions

0.*

0.1.0

0.1.1

Database specific

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    },
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/improvado-layout-panel-metrics/MAL-2026-6231.json"

indicators

{
    "evidence_files": [
        {
            "sha256": "deb7e4719fd96a1e456746ccdae5c064c367989c400a35e760f4f2c39d0f2a11",
            "tlsh": "1c311d52ed34d4abd573da2628d3a0427b1669831a8824bb3fbcc3241f130a756f1dec",
            "path": "fluent_panel_metrics/__init__.py"
        },
        {
            "sha256": "6328a6f7237dc3c78b2aa29c3bb81166d2d6db359f86a774c4b42be3139c4d2e",
            "tlsh": "66f02d5aa654e2ced93bd779c4de26601a2f0fb02251ceca0e598230cb020c66176334",
            "path": "improvado_layout_panel_metrics-0.1.0.dist-info/METADATA"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha256": "f69737f37272b62413625a1f3a224b94f2880c198f1a1a5486bc2502a6d0e262",
                "blake2b_256": "d63ed587dfd3a684735793e5669c3f6ec667c3df2beedbb54cad71ec155095a7",
                "md5": "1255d1fdbecb43f7c429ddca821d6ce0"
            },
            "filename": "improvado_layout_panel_metrics-0.1.0-py3-none-any.whl"
        }
    ]
}