Supply-chain threat intelligence
Risk score
92
Indexed incident for proxy-check-ii (pypi).
The wheel is advertised as 'proxy-check-ii' with a one-line summary of 'packaged command for running the bundled qsshd executable' and no README, homepage, source, or author metadata. It installs a 7.7MB prebuilt Go binary at qsshd/bin/qsshd (sha256 b63ca13bc013aea83a8a9876ce1959cc07ced44e4912908e8d831f8c3b0fd72f) and a Python console script proxy-check-ii whose main() is a bare os.execv of that binary with any caller-supplied args forwarded. Strings in the binary show it links golang.org/x/crypto/ssh, github.com/hashicorp/yamux, and github.com/mydearniko/overthing/pkg/{relay,network,protocol} — an SSH/PTY server multiplexed over a yamux relay, consistent with a reverse-tunneled remote-shell overlay. The declared package name and metadata do not disclose that installing and running proxy-check-ii stands up an SSH daemon; the pure-python wheel tag also misrepresents the shipped platform-specific ELF payload. The Python wrapper performs no auditing or configuration of the binary — its runtime behavior (bind address, rendezvous endpoint, authorized keys, whether it dials out to a preset overlay) is opaque to the caller.
The embedded binary starts a relayed SSH-like server using a hardcoded authorized_key. Thanks to using a relay network, the attacked does not need to directly expose ports from the machine.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-07-proxy-check-i
Reasons (based on the campaign):
backdoor
The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.
Affected versions
Indicators
Timeline