Malicious Packages in npm and PyPI Discovered Installing LLM Proxy Backdoors on Servers
Key Takeaways
- ▸Two-stage supply chain attack leveraging npm and PyPI with Kubernetes-themed package names targeting organizations running containerized infrastructure
- ▸Sophisticated post-exploitation capabilities including reverse SSH tunnels, secrets vault access, and LLM traffic proxying tied to commercial AI reselling operations
- ▸Advanced anti-forensics and evasion techniques including automated evidence deletion, process name spoofing, and XOR-encrypted C2 communications designed to evade detection
Summary
Security researchers have discovered two sophisticated malicious packages—kube-health-tools on npm and kube-node-health on PyPI—that deploy a multi-stage backdoor designed to turn compromised servers into proxies for Chinese LLM traffic relaying. The packages use innocuous-sounding names referencing Kubernetes to evade detection, but contain native binaries that download and execute a sophisticated remote access trojan (RAT) capable of establishing reverse tunnels to SSH, HashiCorp Vault, and an LLM proxy service. The attack employs advanced evasion techniques, including XOR-encrypted configuration blobs, process spoofing to masquerade as legitimate health-check daemons, and automated evidence erasure that removes all traces of installation within seconds of execution. The stage 2 binary connects to a command-and-control server at sync[.]geeker[.]indevs[.]in and exposes victim machines through both reverse tunnels and ngrok fallbacks, granting attackers comprehensive access to internal services and secrets management systems commonly found in Kubernetes environments.
- Attack infrastructure reveals hardcoded C2 credentials and multi-fallback mechanisms (ngrok) suggesting operational maturity and persistent threat actor sophistication
