This tunnel technique is a unique tactic used by the threat actor. The idea is to leverage the tunnel to remotely access the compromised computer via a Flask-based app, which contains a trojan dubbed xrat (but codenamed poweRAT by Phylum). The malicious program allows threat actors to execute arbitrary Python code, download and run remote files on the host, exfiltrate files and entire directories, run shell commands, and more. The Flask application supports a “live” functionality as well. It takes snapshots of the system and listens to mouse and keyboard click events to gather any sensitive data input by the victim. “This thing is like a RAT on steroids. It has all the basic RAT capabilities built into a nice web GUI with a rudimentary remote desktop capability and a stealer to boot,” stated Phylum. The findings offer another view into how attackers’ strategies for launching supply chain attacks against open-source package repositories are constantly evolving.
https://thehackernews.com/2023/01/malicious-pypi-packages-using.html
