proxy-checker-j @0.1.0
Vulnerability report · Last retrieved from osv.dev July 15, 2026 at 7:51 AM UTC
OSV ID
MAL-2026-10644
Ecosystem
pypi
Summary
The package is published on PyPI as proxy-checker-j with the summary 'packaged command for running the bundled qsshd executable', but its actual payload is a Go SSH daemon ( qsshd ) that opens persistent remote shell access to the installer's host. On execution the daemon dials out to a relay controlled through github.com/mydearniko/overthing and forwards inbound connections to a loopback SSH listener. The SSH listener's PublicKeyCallback authorizes only a single ed25519 public key embedded via //go:embed authorized_keys ; any party holding the matching private key gets full interactive shell/PTY ( shell.Run ), arbitrary command execution ( shell.RunExec spawning /bin/bash ), direct-tcpip , and tcpip-forward port forwarding on the host. Persistence is established by generating a stable device identity on first run and writing it to ~/.config/.device_lock , /dev/shm/.device_lock , and /tmp/.device_lock , pinning the host as a durable target reachable through the relay across restarts. The reverse-tunnel design lets the operator reach the host through NAT and firewalls. The advertised 'proxy checker' purpose does not match the shipped functionality; the naming is a cover story for a remote-access backdoor.
Source: amazon-inspector (4316f8f54acc92939cdf73074666eecab7d5e680c7c4ad572ad3164671aa19dc)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.