VDB
EN

MAL-2026-10756

Malicious code in darkglitch (PyPI)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (6d02eb8be388433532783a7bf88864824b50756b7ced4f8728721866740c5df1) darkglitch 1.2.0 ships a listener mode (`-l -c`) that opens a WebSocket connection to the hardcoded signaling host `https://malware-signal.vercel.app/` and joins the fixed room `D4RKGLI7CH`. Incoming `remote-command` messages are passed directly into `subprocess.run(command, shell=True)` inside `_execute_command`, giving any party with access to that signaling server arbitrary shell execution on the host running the listener. `core/config.py` hardcodes the host and room. The `-r/--run` mode invokes PyInstaller with `--noconsole --onefile` to build `darkglitch_listener.exe`, a windowless Windows agent whose entry point immediately calls `asyncio.run(listen_bash_mode())`, packaging the same remote-shell listener as a hidden persistent agent. The self-labeling of the host as `malware-signal.vercel.app` and the room as `D4RKGLI7CH` matches the operational shape of a remote-access trojan.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

PyPI / darkglitch

No fixed version published yet for darkglitch (pip). Pin to a known-safe version or switch to an alternative.

참고