Supply-chain threat intelligence

Incident detail

criticalpypi·typosquatting·osv

Malicious code in pkg-fallback (PyPI)

pkg-fallback

Risk score

92

AI summary

Indexed incident for pkg-fallback (pypi).

Description

setup.py performs an unconditional urllib.request.urlopen() at install time to a hardcoded plaintext bare-IP endpoint http://157.254.194.200:8080/dependency-payload-1.0.0.tar.gz, with exceptions silently swallowed. This fires automatically during pip install (build/setup phase), confirming code execution on the installer's machine and disclosing the installer's network identity to attacker-controlled infrastructure. The distribution is published as 'pkg-fallback' but ships an unrelated 'string_kit' module described as 'string-kit' in README/PKG-INFO; the name/module divergence together with the install-time bare-IP beacon and the attacker-suggestive payload filename ('dependency-payload') is consistent with a dependency-confusion staging/enumeration package rather than a genuine utility.

Package exploits dependency confusion. A beacon request is used to report usage back, but no additional information are exfiltrated.


Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.

Campaign: GENERIC-beacon-dependency-confusion

Reasons (based on the campaign):

  • typosquatting

  • dependency-confusion

Technical details

Affected versions

=1.1.0>=0

Indicators

  • affected version=1.1.075%
  • affected version>=075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents