Supply-chain threat intelligence

Incident detail

criticalpypi·malware·osv

Malicious code in proxy-checker-j (PyPI)

proxy-checker-j

Risk score

92

AI summary

Indexed incident for proxy-checker-j (pypi).

Description

The package is published on PyPI as proxy-checker-j with the summary 'packaged command for running the bundled qsshd executable', but its actual payload is a Go SSH daemon (qsshd) that opens persistent remote shell access to the installer's host. On execution the daemon dials out to a relay controlled through github.com/mydearniko/overthing and forwards inbound connections to a loopback SSH listener. The SSH listener's PublicKeyCallback authorizes only a single ed25519 public key embedded via //go:embed authorized_keys; any party holding the matching private key gets full interactive shell/PTY (shell.Run), arbitrary command execution (shell.RunExec spawning /bin/bash), direct-tcpip, and tcpip-forward port forwarding on the host. Persistence is established by generating a stable device identity on first run and writing it to ~/.config/.device_lock, /dev/shm/.device_lock, and /tmp/.device_lock, pinning the host as a durable target reachable through the relay across restarts. The reverse-tunnel design lets the operator reach the host through NAT and firewalls. The advertised 'proxy checker' purpose does not match the shipped functionality; the naming is a cover story for a remote-access backdoor.

The embedded binary starts a relayed SSH-like server using a hardcoded authorized_key. Thanks to using a relay network, the attacked does not need to directly expose ports from the machine.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-07-proxy-check-i

Reasons (based on the campaign):

  • backdoor

  • The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.

Technical details

Affected versions

=0.1.0

Indicators

  • affected version=0.1.075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents