Supply-chain threat intelligence

Incident detail

criticalpypi·crypto miner·osv

Malicious code in northstart-sdk (PyPI)

northstart-sdk

Risk score

92

AI summary

Indexed incident for northstart-sdk (pypi).

Description

The pypi package northstart-sdk 0.2.1 executes attacker-controlled code as a side effect of import northstart_sdk. The top-level __init__.py assigns AUTO_DEMO_RESULTS = _run_bundled_encrypted_demos(), which fetches 8 bytes from a hardcoded Yuque CDN PNG (https://cdn.nlark.com/yuque/0/2026/png/12727464/...png), uses them as PBKDF2-HMAC-SHA256 key material (with a static PNG-signature fallback so the shipped ciphertext is decryptable offline), decrypts JSON blobs under src/northstart_sdk/_encrypted_demos/, and passes the decrypted bytes to compile() and exec() via _execute_source. The bespoke crypto + remote-key-fetch construction serves only to keep the exec'd payload out of source review. The plaintext progenitor of that payload is shipped in the same tree at encry/whats.ak: length-prefixed framed socket I/O (s.sendall(struct.pack('>I', len(enc))), matching s.recv framing), XOR/AES-GCM/ChaCha20/Fernet routines, RSA-OAEP key exchange, and an auth-message builder that transmits user/password/id fields to a remote peer, with function names obfuscated and misleading # API endpoint handler / # Health check endpoint comments. Importing the package launches a remote-controlled agent that opens an encrypted framed connection to an operator-controlled socket.

The package contains encrypted and obfuscated code that starts a custom reverse shell/command execution during module import.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-07-northstart-sdk

Reasons (based on the campaign):

  • targetted-attack

  • The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine.

  • obfuscation

Technical details

Affected versions

=0.1.0=0.2.0=0.2.1=0.2.2

Indicators

  • affected version=0.1.075%
  • affected version=0.2.075%
  • affected version=0.2.175%
  • affected version=0.2.275%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents