pypi

dbzy-tools @1.0.1

Vulnerability report · Last retrieved from osv.dev July 9, 2026 at 1:25 AM UTC

Malicious

OSV ID

MAL-2026-7023

Ecosystem

pypi

Summary

The package advertises itself as a network debugging tool but its CLI and modules compose a remote-access toolkit. The dbzy-tools console entry calls core.start(config_url) which fetches JSON from a caller-supplied URL via urllib, base64-decodes the payload field, and passes it to exec() with no integrity check — arbitrary Python code from an arbitrary URL runs in the invoking user's context. server.py implements a paramiko-based SSH server that binds 0.0.0.0:2222, accepts hardcoded default credentials root / password , and spawns /bin/bash -i as an interactive pty for each authenticated session; paramiko is auto-installed via pip install at first import. frpc.py downloads an frpc reverse-proxy binary from a caller-supplied URL via curl , chmods it 0755, writes a config that tunnels a local port to an operator-chosen remote frps server, and launches it — providing a NAT-piercing path back to the SSH shell. The combination of remote-payload exec, listening SSH-to-bash bridge with default creds, and outbound reverse tunnel is a complete backdoor/RAT toolkit packaged under a benign cover.

Source: amazon-inspector (a0432a46ed92acb897826fc16d26cba900bd3d18f0de5baa7f2909a44d9ec625)

Protect your entire dependency tree

Scan your lock files automatically on every PR. Block malicious packages before they reach production.