kube-node-health @1.0.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 4:30 AM UTC
OSV ID
MAL-2026-2400
Ecosystem
pypi
Summary
During import, the code download and starts remote executable that later connects to a C2 server, likely establishing a reverse tunnel. After executing the remote binary, the code performs covering-tracks actions by removing the binary from disk, and - depending on version - modifying the package code. The dropper code is either a Python script, or a compiled binary with obfuscated location of the remote binary and config for it. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-03-kube-health-tools Reasons (based on the campaign): - Downloads and executes a remote executable. - backdoor - obfuscation - covering-tracks
Source: kam193 (391555cff14c82156843bee267daf896c3e3e989b9c899ef34b12ac7e23b1c7e)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.