Two malicious packages — kube-health-tools (npm) and kube-node-health (PyPI) — were discovered targeting Kubernetes environments. Both use Kubernetes-themed names to appear legitimate while silently installing a multi-stage backdoor. Stage 1 is a compiled native binary (a Cython .so or Node.js .node addon) that downloads a Go-based stage 2 RAT from GitHub, then erases all traces of itself within two seconds. The stage 2 binary establishes reverse tunnels via Chisel over WebSocket to a C2 server, exposing SSH, HashiCorp Vault, and an OpenAI-compatible LLM proxy. The LLM proxy routes AI requests through Chinese intermediary aggregators (shubiaobiao, cloudsway, volengine, etc.), effectively turning compromised servers into relay nodes in a gray-market AI reselling operation. The attack is linked to the broader Chinese proxy ecosystem driven by Great Firewall restrictions. Beyond cheap AI access, such routers pose serious risks: malicious operators can inject tool calls into coding agent responses or silently exfiltrate API keys and credentials. IOCs including package names, file hashes, C2 domains, and process indicators are provided.
Table of contents
Stage 1: The DroppersStage 2: Remote Access TrojanThe LLM ProxyThe Chinese Proxy EcosystemMalicious LLM RoutersHow Aikido Detects ThisIOCsSort: