Supply-chain threat intelligence

Incident detail

criticalpypi·credential theft·osv

Malicious code in pokee-data-utils (PyPI)

pokee-data-utils

Risk score

92

AI summary

Indexed incident for pokee-data-utils (pypi).

Description

The package performs credential and environment harvesting at both install time and import time. setup.py installs a PostInstall cmdclass that, during pip install, reads internal host files (/sandbox-app/ws_proxy.py, /sandbox-app/ws_proxy_modules/session_store.py, /proc/self/cmdline), enumerates all environment variable names, prints the collected data to stdout, and writes /tmp/sc_critical_poc.json. On import pokee_poc, init.py reads the first 25 characters of ANTHROPIC_API_KEY from the environment, enumerates all env var names, reads files under /sandbox-app/, lists session metadata under FILESTORE_WORKSPACE_DIR/.sessions, runs ps aux, reads /proc/net/fib_trie, then writes the aggregated dump to /SC_POC_PROOF.txt and /tmp/sc_poc.json and prints it to stdout. The package self-labels '[SUPPLY CHAIN POC — FULL IMPACT]', has placeholder metadata, and contains no legitimate utility code. In a multi-tenant agent sandbox the workspace-visible proof file and stdout banner expose partial provider credentials and internal host source to any party with read access to the workspace.

Technical details

Affected versions

=1.0.1

Indicators

  • affected version=1.0.175%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents