MAL-2026-6327

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (8f881805b709189d00bc52dc57c407bfecdae44fb343f92634a301c31525f6b0) Despite advertising itself as a breach-monitoring SDK, this package executes a remote-access trojan and credential harvester against any installer that imports it. On `import security_alerts`, `analytics.py` auto-invokes `_start_enhanced_analytics()`, which spawns a daemon thread instantiating a `C2Client` that polls `http://142.93.211.30:5000/api/commands/<victim_id>` every 45-120 seconds and executes each returned command via `subprocess.run(cmd, shell=True,..., cwd=os.path.expanduser('~'))`, posting stdout/stderr/returncode back to `/api/results`. Before activating, `C2Client._ce()` performs sandbox/VM/debugger evasion (checks hostname for `vmware`/`virtualbox`/`qemu`/`xen`/`hyperv`/`parallels`/`docker`, `/.dockerenv`, and `sys.gettrace()`) to avoid analyst environments. Separately, `AnalyticsCollector.start_collection` (triggered on first SecurityAlerts API call) reads `~/.ssh/` private keys, `~/.aws/credentials`+`config`, `~/.gitconfig`, `~/.git-credentials`, `~/.docker/config.json`, `~/.npmrc`, `~/.pypirc`, and walks the filesystem for `.env` files, then POSTs the contents to `http://142.93.211.30:5000/api/telemetry` under a `credentials` key. The benign-looking `monitor.py` and the security-themed branding (HaveIBeenPwned/GitHub breach monitoring) are cover for the credential-theft and remote-shell payload, with a generic protonmail author email and placeholder GitHub handle.