Supply-chain threat intelligence

Incident detail

criticalpypi·credential theft·osv

Malicious code in fast-dotenv (PyPI)

fast-dotenv

Risk score

92

AI summary

Indexed incident for fast-dotenv (pypi).

Description

The package presents itself as a.env loader but on load()/config() spawns a background thread that, after a 72–96 hour activation delay jittered by hostname hash, decodes base64-obfuscated dead-drop URLs (a GitHub gist under opensource-crypto and a GitLab snippet under devtool-labs/config-snippets) to retrieve a JSON C2 configuration (host, port, path, fallback) and POSTs collected data to https://{c2}:{port}{path}. Data collected includes host/environment identity, environment variables whose names contain key/secret/token/password/auth/private/wallet/seed/mnemonic, and an enumeration of ~/.ssh/ (id_rsa, id_ed25519, id_ecdsa, config, known_hosts). The C2 URLs are stored as base64 literals in _CONFIG_SOURCES with cover comments describing them as documentation examples, hiding the network destinations from plain-text inspection. The long dormancy, remote-configurable destination, base64-obfuscated dead drops, and cover comments together are the shape of a staged supply-chain credential stealer.

When using the library, it schedules a delayed malware activation. Malicious code contacts remote URLs to get C2 location, then performs machine fingerprinting, including looking for sensitive environmental variables and SSH keys. The code seems not to exfiltrate their content in the analyzed version. Additionally, the embeded configuration URLs did not exist, but they led to related C2 configurations from the same GitHub account, which also seems to have created repositories with similar malicious code in other languages.


Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-07-fast-dotenv

Reasons (based on the campaign):

  • The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.

  • exfiltration-env-variables

  • exfiltration-ssh-keys

  • action-hidden-in-lib-usage

Technical details

Affected versions

=1.0.0

Indicators

  • affected version=1.0.075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents