MAL-2026-10644
Malicious code in proxy-checker-j (PyPI)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (4316f8f54acc92939cdf73074666eecab7d5e680c7c4ad572ad3164671aa19dc) The package is published on PyPI as `proxy-checker-j` with the summary 'packaged command for running the bundled qsshd executable', but its actual payload is a Go SSH daemon (`qsshd`) that opens persistent remote shell access to the installer's host. On execution the daemon dials out to a relay controlled through `github.com/mydearniko/overthing` and forwards inbound connections to a loopback SSH listener. The SSH listener's `PublicKeyCallback` authorizes only a single ed25519 public key embedded via `//go:embed authorized_keys`; any party holding the matching private key gets full interactive shell/PTY (`shell.Run`), arbitrary command execution (`shell.RunExec` spawning `/bin/bash`), `direct-tcpip`, and `tcpip-forward` port forwarding on the host. Persistence is established by generating a stable device identity on first run and writing it to `~/.config/.device_lock`, `/dev/shm/.device_lock`, and `/tmp/.device_lock`, pinning the host as a durable target reachable through the relay across restarts. The reverse-tunnel design lets the operator reach the host through NAT and firewalls. The advertised 'proxy checker' purpose does not match the shipped functionality; the naming is a cover story for a remote-access backdoor.
## Source: kam193 (8bbbe85539f267e6bac84fa2d7653392c9235106e5f97e124f06eda25cffb38c) The embedded binary starts a relayed SSH-like server using a hardcoded authorized_key. Thanks to using a relay network, the attacked does not need to directly expose ports from the machine.
---
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-07-proxy-check-i
Reasons (based on the campaign):
- backdoor
- The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for proxy-checker-j (pip). Pin to a known-safe version or switch to an alternative.