OSV ID
MAL-2026-5532
Ecosystem
pypi
Summary
PyPI package 'icinga' at version 99.1.0 is a dependency-confusion / typosquat lure against the Icinga monitoring project. It ships no real functionality (generic description 'Operational package utility', placeholder author 'Dev') and exists only to run an install-time beacon. setup.py defines a CustomInstall command that, after install.run(self), collects host identifiers (COMPUTERNAME / uname nodename, current working directory, OS info, and the internal IP obtained via a UDP socket trick to 8.8.8.8) and POSTs them as JSON, tagged 'pypi-tg' / 'icinga', to a base64-encoded URL (aHR0cHM6Ly9weXRob24tbG9nLmxhcHhhMzU0LndvcmtlcnMuZGV2Lw== → https://python-log.lapxa354.workers.dev/) decoded at runtime via base64.b64decode and dispatched with urllib.request.urlopen. Exceptions are suppressed to keep the install silent. The implausibly high version number (99.1.0) is a classic dependency-confusion technique to outrank legitimate internal mirrors of an 'icinga' name. Installer impact: any machine running pip install icinga (CI runner, developer workstation, internal build host) leaks its hostname, internal IP, working directory, and OS to the attacker — confirming the typosquat lands and seeding follow-up targeted attacks.
Source: amazon-inspector (fbedb312e9cfe0f5cc7783487adc963f142ebcaefa0fb9305a9a535f373b052d)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.