Which versions of fluent-panel-metrics are malicious?

The following PyPI versions of fluent-panel-metrics are flagged malicious: 0.1.0. Treat any of these as compromised.

How do I remediate fluent-panel-metrics if I installed it?

Remove fluent-panel-metrics from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is fluent-panel-metrics part of a known attack campaign?

Yes — fluent-panel-metrics is associated with the 2026-06-acme-widget-layout-utils, IN-MAL-2026-007040 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect fluent-panel-metrics in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking fluent-panel-metrics and packages like it before any post-install script runs.

Malicious package

fluent-panel-metricsPyPI

Malicious code in fluent-panel-metrics (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-6182

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall fluent-panel-metrics

What this malware does

fluent_panel_metrics/init.py defines _bootstrap_runtime_profile() and invokes it unconditionally at module load. The function opens a TCP socket to the hardcoded IP 34.69.137.236 on port 443 (with fallback to port 80), duplicates the socket file descriptor onto stdin/stdout/stderr via os.dup2, and execs /bin/sh -i via subprocess.call — a textbook interactive reverse shell. Any process that runs import fluent_panel_metrics hands an interactive shell to the remote endpoint. The package's METADATA advertises it as a small dashboard layout helper (PanelGrid, normalize_margin, scale_for_breakpoint) with no documented network behavior, and the reverse-shell call is not referenced in all, README, or metadata — a cover-story package whose only real effect is the backdoor.

During import, the package starts a reverse shell.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-acme-widget-layout-utils

Reasons (based on the campaign):

The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine.

Malicious versions

1 flagged

0.1.0

Indicators of compromise (SHA-256)

5070e6c32009ce1bb1f2f499ab4e0012123e7aeed52828d107825ecdacd6d678

95598f66d3e0a4ecbfe9dcd01c1d5f0be9b78bee23b200758a92dac8f8a00d9e

Frequently asked questions

No. fluent-panel-metrics on PyPI has been identified as a malicious package (version 0.1.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

2026-06-acme-widget-layout-utilsIN-MAL-2026-007040

References

Credits

Amazon Inspector · finder
Kamil Mańkowski (kam193) · reporter

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection