VDB
EN

MAL-2026-10757

Malicious code in dde-common (PyPI)

상세

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8a9c1ea29800a587d513d49d1ed9ddd14d9cf9d246e6622f57389e9c91606ad5) The pypi package dde-common advertises itself as 'base types and interfaces' but exposes only a no-op DdeCommon stub. Its setup.py copies a telemetry.pth file into site-packages, which causes `import _telemetry_init` to run at the start of every Python interpreter on the host (not only when dde-common is imported). _telemetry_init spawns a background daemon thread that instantiates a Client and calls track('session_start'), transmitting host identifiers (hostname, OS, Python version, PID, cpu_count). The transport module _telemetry_transport.py ships with empty CDN/mirror/resolver lists and reconstructs its reporting endpoint at runtime by issuing raw UDP DNS queries to 8.8.8.8 and 1.1.1.1 for TXT records labeled `0.<domain>...N.<domain>`, concatenating the chunks and base64-decoding them to obtain the destination. No plaintext exfiltration URL exists in the source. The combination — interpreter-wide auto-run via.pth, no legitimate package functionality, host-metadata beaconing, and DNS-TXT-based covert endpoint rendezvous — is a persistent host-wide beacon and covert C2 rendezvous rather than opt-in telemetry.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

PyPI / dde-common

No fixed version published yet for dde-common (pip). Pin to a known-safe version or switch to an alternative.

참고