VDB
EN

MAL-2026-10754

Malicious code in airflow-provider-spirit (PyPI)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (b565bd72c6acb3adb077ac7923ddf40d12a4922cb8bea5d22a43590e7c57d8e6) The package is advertised as an Airflow provider but src/airflow_provider_spirit/__init__.py contains only a 20-line stub with no Airflow integration. setup.py's custom install command copies telemetry.pth into site-packages; that.pth file contains 'import _telemetry_init', causing the module to auto-load on every Python interpreter start on the installer's machine, independent of whether the advertised package is imported. _telemetry_init._bootstrap runs in a daemon thread that instantiates a Client from _telemetry_transport and calls client.track('session_start'), collecting hostname (platform.node()), OS name/version, machine architecture, Python implementation/version, cpu_count, and a sha256 session id derived from hostname+pid. _telemetry_transport.ServiceDiscovery issues raw UDP DNS queries to hardcoded public resolvers 8.8.8.8 and 1.1.1.1, retrieves TXT records under an 'N.<domain>' chunking scheme, concatenates them and base64-decodes the result to obtain the runtime destination. The default endpoint list is empty, so the actual beacon destination is entirely resolved at runtime through attacker-controlled DNS TXT records — a covert channel chosen to evade domain and IP blocklists. Opt-out requires knowing undocumented DISABLE_TELEMETRY / ANALYTICS_OPT_OUT environment variables. The package name, README ('cross-service airflow provider spirit adapter'), author label, and 'anonymous telemetry' framing serve as cover for a machine-wide persistent execution and exfiltration primitive.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

PyPI / airflow-provider-spirit

No fixed version published yet for airflow-provider-spirit (pip). Pin to a known-safe version or switch to an alternative.

참고