Supply-chain threat intelligence

Incident detail

criticalpypi·crypto miner·osv

Malicious code in proxy-check-ii (PyPI)

proxy-check-ii

Risk score

92

AI summary

Indexed incident for proxy-check-ii (pypi).

Description

The wheel is advertised as 'proxy-check-ii' with a one-line summary of 'packaged command for running the bundled qsshd executable' and no README, homepage, source, or author metadata. It installs a 7.7MB prebuilt Go binary at qsshd/bin/qsshd (sha256 b63ca13bc013aea83a8a9876ce1959cc07ced44e4912908e8d831f8c3b0fd72f) and a Python console script proxy-check-ii whose main() is a bare os.execv of that binary with any caller-supplied args forwarded. Strings in the binary show it links golang.org/x/crypto/ssh, github.com/hashicorp/yamux, and github.com/mydearniko/overthing/pkg/{relay,network,protocol} — an SSH/PTY server multiplexed over a yamux relay, consistent with a reverse-tunneled remote-shell overlay. The declared package name and metadata do not disclose that installing and running proxy-check-ii stands up an SSH daemon; the pure-python wheel tag also misrepresents the shipped platform-specific ELF payload. The Python wrapper performs no auditing or configuration of the binary — its runtime behavior (bind address, rendezvous endpoint, authorized keys, whether it dials out to a preset overlay) is opaque to the caller.

The embedded binary starts a relayed SSH-like server using a hardcoded authorized_key. Thanks to using a relay network, the attacked does not need to directly expose ports from the machine.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-07-proxy-check-i

Reasons (based on the campaign):

  • backdoor

  • The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.

Technical details

Affected versions

=0.1.0

Indicators

  • affected version=0.1.075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents