Supply-chain threat intelligence
Risk score
92
Indexed incident for proxy-checker-j (pypi).
The package is published on PyPI as proxy-checker-j with the summary 'packaged command for running the bundled qsshd executable', but its actual payload is a Go SSH daemon (qsshd) that opens persistent remote shell access to the installer's host. On execution the daemon dials out to a relay controlled through github.com/mydearniko/overthing and forwards inbound connections to a loopback SSH listener. The SSH listener's PublicKeyCallback authorizes only a single ed25519 public key embedded via //go:embed authorized_keys; any party holding the matching private key gets full interactive shell/PTY (shell.Run), arbitrary command execution (shell.RunExec spawning /bin/bash), direct-tcpip, and tcpip-forward port forwarding on the host. Persistence is established by generating a stable device identity on first run and writing it to ~/.config/.device_lock, /dev/shm/.device_lock, and /tmp/.device_lock, pinning the host as a durable target reachable through the relay across restarts. The reverse-tunnel design lets the operator reach the host through NAT and firewalls. The advertised 'proxy checker' purpose does not match the shipped functionality; the naming is a cover story for a remote-access backdoor.
The embedded binary starts a relayed SSH-like server using a hardcoded authorized_key. Thanks to using a relay network, the attacked does not need to directly expose ports from the machine.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-07-proxy-check-i
Reasons (based on the campaign):
backdoor
The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.
Affected versions
Indicators
Timeline