MAL-2026-7023
Malicious code in dbzy-tools (PyPI)
Details
--- _-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (a0432a46ed92acb897826fc16d26cba900bd3d18f0de5baa7f2909a44d9ec625) The package advertises itself as a network debugging tool but its CLI and modules compose a remote-access toolkit. The `dbzy-tools` console entry calls `core.start(config_url)` which fetches JSON from a caller-supplied URL via urllib, base64-decodes the `payload` field, and passes it to `exec()` with no integrity check — arbitrary Python code from an arbitrary URL runs in the invoking user's context. `server.py` implements a paramiko-based SSH server that binds 0.0.0.0:2222, accepts hardcoded default credentials `root`/`password`, and spawns `/bin/bash -i` as an interactive pty for each authenticated session; paramiko is auto-installed via `pip install` at first import. `frpc.py` downloads an frpc reverse-proxy binary from a caller-supplied URL via `curl`, chmods it 0755, writes a config that tunnels a local port to an operator-chosen remote frps server, and launches it — providing a NAT-piercing path back to the SSH shell. The combination of remote-payload exec, listening SSH-to-bash bridge with default creds, and outbound reverse tunnel is a complete backdoor/RAT toolkit packaged under a benign cover.
Are you affected?
Enter the version of the package you're using.
Affected packages
No fixed version published yet for dbzy-tools (pip). Pin to a known-safe version or switch to an alternative.