Which versions of fluent-dashboard-panel-metrics are malicious?

The following PyPI versions of fluent-dashboard-panel-metrics are flagged malicious: 0.1.0. Treat any of these as compromised.

How do I remediate fluent-dashboard-panel-metrics if I installed it?

Remove fluent-dashboard-panel-metrics from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is fluent-dashboard-panel-metrics part of a known attack campaign?

Yes — fluent-dashboard-panel-metrics is associated with the 2026-06-acme-widget-layout-utils, IN-MAL-2026-007089 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect fluent-dashboard-panel-metrics in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking fluent-dashboard-panel-metrics and packages like it before any post-install script runs.

Malicious package

fluent-dashboard-panel-metricsPyPI

Malicious code in fluent-dashboard-panel-metrics (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-6233

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall fluent-dashboard-panel-metrics

What this malware does

fluent_panel_metrics/init.py defines an undocumented function _bootstrap_runtime_profile() and invokes it unconditionally at module top level. The function opens a TCP socket to 34.69.137.236 on port 80/443, duplicates the socket file descriptor over stdin/stdout/stderr via os.dup2, and execs /bin/sh -i via subprocess.call, handing an interactive shell to the remote endpoint. The function is not listed in __all__ and is not referenced in the README, which advertises the package as a dashboard panel/grid helper (PanelGrid, normalize_margin, scale_for_breakpoint, panel_version). Any process that imports this package — including build systems, test runners, or downstream applications — will establish a reverse shell to the attacker on a default install + import. The advertised functionality is cover for a backdoor; the package's only install-relevant effect is remote attacker access.

During import, the package starts a reverse shell.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-acme-widget-layout-utils

Reasons (based on the campaign):

The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine.

Malicious versions

1 flagged

0.1.0

Indicators of compromise (SHA-256)

7b6ebe4856f2e752a8a410e04066fe9549c08c220567169c2a50f9d50a328031

9e745c609fb43daaa93911ae2edcb05b1ffd3cec1c6ec55c321597e9e39eb153

Frequently asked questions

No. fluent-dashboard-panel-metrics on PyPI has been identified as a malicious package (version 0.1.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

2026-06-acme-widget-layout-utilsIN-MAL-2026-007089

References

Credits

Amazon Inspector · finder
Kamil Mańkowski (kam193) · reporter

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection