VDB
KO

MAL-2026-5698

Malicious code in nagios-xi (PyPI)

Details

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c11c80cc2d314460d61a649c84fd75881388470382be8183b77b362e562a5c7f) On `import nagios_xi`, the package's `__init__.py` (lines 5-8) invokes `socket.gethostbyname("atlass-check.autaeqjhfowvnnmkwhxjtq8x39d8nder1.oast.fun")` inside a silent try/except. oast.fun is ProjectDiscovery's Interactsh out-of-band callback service; the DNS query itself is the exfiltration channel, confirming code execution on the installer's host and leaking the resolver IP to whoever controls the unique 32-character Interactsh subdomain. The package ships no actual functionality — it impersonates the Nagios XI commercial monitoring product (name `nagios-xi`, version `19.5.0` mimicking real Nagios XI versioning) while declaring an anonymous ProtonMail author (`Coding Team <pocbug@protonmail.com>`), a generic `package utility` description, and an empty README. The combination of brand impersonation, placeholder metadata, and an import-time OAST beacon as the package's sole behavior is reconnaissance for a supply-chain attack against developers searching for Nagios XI integrations.

## Source: kam193 (d8b27c2588accf4f2966f4630a12f9bfdc4ba621403f14237160632447152f23) Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose.

---

Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.

Campaign: GENERIC-standard-pypi-install-pentest

Reasons (based on the campaign):

- The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.

- The package overrides the install command in setup.py to execute malicious code during installation.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / nagios-xi

No fixed version published yet for nagios-xi (pip). Pin to a known-safe version or switch to an alternative.

References