icingaPyPI

PyPI package 'icinga' at version 99.1.0 is a dependency-confusion / typosquat lure against the Icinga monitoring project. It ships no real functionality (generic description 'Operational package utility', placeholder author 'Dev') and exists only to run an install-time beacon. setup.py defines a CustomInstall command that, after install.run(self), collects host identifiers (COMPUTERNAME / uname nodename, current working directory, OS info, and the internal IP obtained via a UDP socket trick to 8.8.8.8) and POSTs them as JSON, tagged 'pypi-tg' / 'icinga', to a base64-encoded URL (aHR0cHM6Ly9weXRob24tbG9nLmxhcHhhMzU0LndvcmtlcnMuZGV2Lw== → https://python-log.lapxa354.workers.dev/) decoded at runtime via base64.b64decode and dispatched with urllib.request.urlopen. Exceptions are suppressed to keep the install silent. The implausibly high version number (99.1.0) is a classic dependency-confusion technique to outrank legitimate internal mirrors of an 'icinga' name. Installer impact: any machine running pip install icinga (CI runner, developer workstation, internal build host) leaks its hostname, internal IP, working directory, and OS to the attacker — confirming the typosquat lands and seeding follow-up targeted attacks.

Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose.

Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.

Campaign: GENERIC-standard-pypi-install-pentest

Reasons (based on the campaign):

• The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.

• The package overrides the install command in setup.py to execute malicious code during installation.