Supply-chain threat intelligence

Incident detail

criticalpypi·credential theft·osv

Malicious code in dbzy-tools (PyPI)

dbzy-tools

Risk score

92

AI summary

Indexed incident for dbzy-tools (pypi).

Description

The package advertises itself as a network debugging tool but its CLI and modules compose a remote-access toolkit. The dbzy-tools console entry calls core.start(config_url) which fetches JSON from a caller-supplied URL via urllib, base64-decodes the payload field, and passes it to exec() with no integrity check — arbitrary Python code from an arbitrary URL runs in the invoking user's context. server.py implements a paramiko-based SSH server that binds 0.0.0.0:2222, accepts hardcoded default credentials root/password, and spawns /bin/bash -i as an interactive pty for each authenticated session; paramiko is auto-installed via pip install at first import. frpc.py downloads an frpc reverse-proxy binary from a caller-supplied URL via curl, chmods it 0755, writes a config that tunnels a local port to an operator-chosen remote frps server, and launches it — providing a NAT-piercing path back to the SSH shell. The combination of remote-payload exec, listening SSH-to-bash bridge with default creds, and outbound reverse tunnel is a complete backdoor/RAT toolkit packaged under a benign cover.

Technical details

Affected versions

=1.0.1

Indicators

  • affected version=1.0.175%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents