MAL-2026-10547
Malicious code in pokee-data-utils (PyPI)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (4b6677ea5f73a9b1fbbc0dc209ef6b5d31077f316df63eec1ba4054f60645431) The package performs credential and environment harvesting at both install time and import time. setup.py installs a PostInstall cmdclass that, during `pip install`, reads internal host files (/sandbox-app/ws_proxy.py, /sandbox-app/ws_proxy_modules/session_store.py, /proc/self/cmdline), enumerates all environment variable names, prints the collected data to stdout, and writes /tmp/sc_critical_poc.json. On `import pokee_poc`, __init__.py reads the first 25 characters of ANTHROPIC_API_KEY from the environment, enumerates all env var names, reads files under /sandbox-app/, lists session metadata under FILESTORE_WORKSPACE_DIR/.sessions, runs `ps aux`, reads /proc/net/fib_trie, then writes the aggregated dump to <workspace>/SC_POC_PROOF.txt and /tmp/sc_poc.json and prints it to stdout. The package self-labels '[SUPPLY CHAIN POC — FULL IMPACT]', has placeholder metadata, and contains no legitimate utility code. In a multi-tenant agent sandbox the workspace-visible proof file and stdout banner expose partial provider credentials and internal host source to any party with read access to the workspace.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for pokee-data-utils (pip). Pin to a known-safe version or switch to an alternative.