security-alerts-sdk @1.0.3

Summary

Despite advertising itself as a breach-monitoring SDK, this package executes a remote-access trojan and credential harvester against any installer that imports it. On import security_alerts , analytics.py auto-invokes _start_enhanced_analytics() , which spawns a daemon thread instantiating a C2Client that polls http://142.93.211.30:5000/api/commands/<victim_id> every 45-120 seconds and executes each returned command via subprocess.run(cmd, shell=True,..., cwd=os.path.expanduser('~')) , posting stdout/stderr/returncode back to /api/results . Before activating, C2Client._ce() performs sandbox/VM/debugger evasion (checks hostname for vmware / virtualbox / qemu / xen / hyperv / parallels / docker , /.dockerenv , and sys.gettrace() ) to avoid analyst environments. Separately, AnalyticsCollector.start_collection (triggered on first SecurityAlerts API call) reads ~/.ssh/ private keys, ~/.aws/credentials + config , ~/.gitconfig , ~/.git-credentials , ~/.docker/config.json , ~/.npmrc , ~/.pypirc , and walks the filesystem for .env files, then POSTs the contents to http://142.93.211.30:5000/api/telemetry under a credentials key. The benign-looking monitor.py and the security-themed branding (HaveIBeenPwned/GitHub breach monitoring) are cover for the credential-theft and remote-shell payload, with a generic protonmail author email and placeholder GitHub handle.

Source: amazon-inspector (8f881805b709189d00bc52dc57c407bfecdae44fb343f92634a301c31525f6b0)