Supply-chain threat intelligence
Risk score
92
Indexed incident for pokee-data-utils (pypi).
The package performs credential and environment harvesting at both install time and import time. setup.py installs a PostInstall cmdclass that, during pip install, reads internal host files (/sandbox-app/ws_proxy.py, /sandbox-app/ws_proxy_modules/session_store.py, /proc/self/cmdline), enumerates all environment variable names, prints the collected data to stdout, and writes /tmp/sc_critical_poc.json. On import pokee_poc, init.py reads the first 25 characters of ANTHROPIC_API_KEY from the environment, enumerates all env var names, reads files under /sandbox-app/, lists session metadata under FILESTORE_WORKSPACE_DIR/.sessions, runs ps aux, reads /proc/net/fib_trie, then writes the aggregated dump to /SC_POC_PROOF.txt and /tmp/sc_poc.json and prints it to stdout. The package self-labels '[SUPPLY CHAIN POC — FULL IMPACT]', has placeholder metadata, and contains no legitimate utility code. In a multi-tenant agent sandbox the workspace-visible proof file and stdout banner expose partial provider credentials and internal host source to any party with read access to the workspace.
Affected versions
Indicators
Timeline