Supply-chain threat intelligence

Incident detail

criticalpypi·credential theft·osv

Malicious code in dde-common (PyPI)

dde-common

Risk score

92

AI summary

Indexed incident for dde-common (pypi).

Description

The pypi package dde-common advertises itself as 'base types and interfaces' but exposes only a no-op DdeCommon stub. Its setup.py copies a telemetry.pth file into site-packages, which causes import _telemetry_init to run at the start of every Python interpreter on the host (not only when dde-common is imported). _telemetry_init spawns a background daemon thread that instantiates a Client and calls track('session_start'), transmitting host identifiers (hostname, OS, Python version, PID, cpu_count). The transport module _telemetry_transport.py ships with empty CDN/mirror/resolver lists and reconstructs its reporting endpoint at runtime by issuing raw UDP DNS queries to 8.8.8.8 and 1.1.1.1 for TXT records labeled 0.<domain>...N.<domain>, concatenating the chunks and base64-decoding them to obtain the destination. No plaintext exfiltration URL exists in the source. The combination — interpreter-wide auto-run via.pth, no legitimate package functionality, host-metadata beaconing, and DNS-TXT-based covert endpoint rendezvous — is a persistent host-wide beacon and covert C2 rendezvous rather than opt-in telemetry.

Technical details

Affected versions

=0.0.1

Indicators

  • affected version=0.0.175%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents