MAL-2026-10672
Malicious code in northstart-sdk (PyPI)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (aa58bcfb4f89faf624c1f99bb552e597cc2e061330a2e98e72e6f401bb70b4f9) The pypi package northstart-sdk 0.2.1 executes attacker-controlled code as a side effect of `import northstart_sdk`. The top-level `__init__.py` assigns `AUTO_DEMO_RESULTS = _run_bundled_encrypted_demos()`, which fetches 8 bytes from a hardcoded Yuque CDN PNG (https://cdn.nlark.com/yuque/0/2026/png/12727464/...png), uses them as PBKDF2-HMAC-SHA256 key material (with a static PNG-signature fallback so the shipped ciphertext is decryptable offline), decrypts JSON blobs under `src/northstart_sdk/_encrypted_demos/`, and passes the decrypted bytes to `compile()` and `exec()` via `_execute_source`. The bespoke crypto + remote-key-fetch construction serves only to keep the exec'd payload out of source review. The plaintext progenitor of that payload is shipped in the same tree at `encry/whats.ak`: length-prefixed framed socket I/O (`s.sendall(struct.pack('>I', len(enc)))`, matching `s.recv` framing), XOR/AES-GCM/ChaCha20/Fernet routines, RSA-OAEP key exchange, and an auth-message builder that transmits user/password/id fields to a remote peer, with function names obfuscated and misleading `# API endpoint handler` / `# Health check endpoint` comments. Importing the package launches a remote-controlled agent that opens an encrypted framed connection to an operator-controlled socket.
## Source: kam193 (3d6810f5c57750ef71c1a2ee0bc6516a3ba537caf263d8002cdd016623052d5a) The package contains encrypted and obfuscated code that starts a custom reverse shell/command execution during module import.
---
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-07-northstart-sdk
Reasons (based on the campaign):
- targetted-attack
- The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine.
- obfuscation
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for northstart-sdk (pip). Pin to a known-safe version or switch to an alternative.