Research
2025 Report: Destructive Malware in Open Source Packages
Destructive malware is rising across open source registries, using delays and kill switches to wipe code, break builds, and disrupt CI/CD.
By Kush Pandya - Dec 24, 2025
honeypotsjkdb
Artifacts are distributable versions of a package. It typically includes the source code and metadata
Advanced tools
honeypotsjkdb
30 different honeypots in one package! (dhcp, dns, elastic, ftp, http proxy, https proxy, http, https, imap, ipp, irc, ldap, memcache, mssql, mysql, ntp, oracle, pjl, pop3, postgres, rdp, redis, sip, smb, smtp, snmp, socks5, ssh, telnet, vnc)
- Version
- 0.1
- Maintainers
- 1
.. image:: https://raw.githubusercontent.com/qeeqbox/honeypots/main/readme/honeypots.png
30 different honeypots in a single PyPI package for monitoring network traffic, bots activities, and username \ password credentials.
Why honeypots package is very powerful?
The honeypots respond back, non-blocking, can be used as objects, or called directly with the in-built auto-configure scripts! Also, they are easy to setup and customize, it takes 1-2 seconds to spin a honeypot up. You can spin up multiple instances with the same type. The output can be logged to a Postgres database, file[s], terminal or syslog for easy integration.
This honeypots package is the only package that contains all the following: dhcp, dns, elastic, ftp, http_proxy, http, https, imap, ipp, irc, ldap, memcache, mssql, mysql, ntp, oracle, pjl, pop3, postgres, rdp, redis, sip, smb, smtp, snmp, socks5, ssh, telnet, vnc.
Honeypots now is in the awesome telekom security T-Pot project! <https://github.com/telekom-security/tpotce>_
Install
.. code:: bash
pip3 install honeypots
honeypots -h
.. code:: bash
Qeeqbox/honeypots customizable honeypots for monitoring network traffic, bots activities, and username\password credentials
Arguments:
--setup target honeypot E.g. ssh or you can have multiple E.g ssh,http,https
--list list all available honeypots
--kill kill all honeypots
--verbose Print error msgs
Honeypots options:
--ip Override the IP
--port Override the Port (Do not use on multiple!)
--username Override the username
--password Override the password
--config Use a config file for honeypots settings
--options Extra options (capture_commands for capturing all threat actor data)
General options:
--termination-strategy {input,signal} Determines the strategy to terminate by
--test Test a honeypot
--auto Setup the honeypot with random port
Usage Example - Auto configuration with default ports
Use a honeypot, or multiple honeypots separated by comma or word all
.. code:: bash
sudo -E python3 -m honeypots --setup ssh
Usage Example - Auto configuration with random port (No need for higher privileges)
Use a honeypot, or multiple honeypots separated by comma or word all
.. code:: bash
python3 -m honeypots --setup ssh --auto
Usage Example - Auto configure with specific ports
Use as honeypot:port or multiple honeypots as honeypot:port,honeypot:port
.. code:: bash
python3 -m honeypots --setup imap:143,mysql:3306,redis:6379
Usage Example - Custom configure with logs location
Use a honeypot, or multiple honeypots separated by comma or word all
.. code:: bash
python3 -m honeypots --setup ssh --config config.json
config.json (Output to folder and terminal)
.. code:: json
{
"logs": "file,terminal,json",
"logs_location": "/var/log/honeypots/",
"syslog_address": "",
"syslog_facility": 0,
"postgres": "",
"sqlite_file":"",
"db_options": [],
"sniffer_filter": "",
"sniffer_interface": "",
"honeypots": {
"ftp": {
"port": 21,
"ip": "0.0.0.0",
"username": "ftp",
"password": "anonymous",
"log_file_name": "ftp.log",
"max_bytes": 10000,
"backup_count": 10
}
}
}
config.json (Output to syslog)
.. code:: json
{
"logs": "syslog",
"logs_location": "",
"syslog_address": "udp://localhost:514",
"syslog_facility": 3,
"postgres": "",
"sqlite_file":"",
"db_options": [],
"sniffer_filter": "",
"sniffer_interface": "",
"honeypots": {
"ftp": {
"port": 21,
"ip": "0.0.0.0",
"username": "test",
"password": "test"
}
}
}
config.json (Output to Postgres db)
.. code:: json
{
"logs": "db_postgres",
"logs_location": "",
"syslog_address":"",
"syslog_facility":0,
"postgres":"//username:password@172.19.0.2:9999/honeypots",
"sqlite_file":"",
"db_options":["drop"],
"sniffer_filter": "",
"sniffer_interface": "",
"honeypots": {
"ftp": {
"port": 21,
"username": "test",
"password": "test"
}
}
}
config.json (Output to Sqlite db)
.. code:: json
{
"logs": "db_postgres",
"logs_location": "",
"syslog_address":"",
"syslog_facility":0,
"postgres":"",
"sqlite_file":"/home/test.db",
"db_options":["drop"],
"sniffer_sniffer_filter": "",
"sniffer_interface": "",
"honeypots": {
"ftp": {
"port": 21,
"username": "test",
"password": "test"
}
}
}
db structure
.. code:: json
[
{
"id": 1,
"date": "2021-11-18 06:06:42.304338+00",
"data": {
"server": "'ftp_server'",
"action": "'process'",
"status": "'success'",
"ip": "'0.0.0.0'",
"port": "21",
"username": "'test'",
"password": "'test'"
}
}
]
Usage Example - Import as object and auto test
.. code:: python
#ip= String E.g. 0.0.0.0
#port= Int E.g. 9999
#username= String E.g. Test
#password= String E.g. Test
#options= Boolean or String E.g OpenSSH 7.0
#logs= String E.g db, terminal or all
#always remember to add process=true to run_server() for non-blocking
from honeypots import QSSHServer
qsshserver = QSSHServer(port=9999)
qsshserver.run_server(process=True)
qsshserver.test_server(port=9999)
INFO:chameleonlogger:['servers', {'status': 'success', 'username': 'test', 'src_ip': '127.0.0.1', 'server': 'ssh_server', 'action': 'login', 'password': 'test', 'src_port': 38696}]
qsshserver.kill_server()
Usage Example - Import as object and test with external ssh command
.. code:: python
from honeypots import QSSHServer
qsshserver = QSSHServer(port=9999)
qsshserver.run_server(process=True)
.. code:: bash
ssh test@127.0.0.1
Honeypot answer
.. code:: python
INFO:chameleonlogger:['servers', {'status': 'success', 'username': 'test', 'src_ip': '127.0.0.1', 'server': 'ssh_server', 'action': 'login', 'password': 'test', 'src_port': 38696}]
Close the honeypot
.. code:: python
qsshserver.kill_server()
Current Servers/Emulators
- QDNSServer
- Server: DNS
- Port: 53
- Lib: Twisted
- Logs: ip, port
- QFTPServer
- Server: FTP
- Port: 21
- Lib: Twisted
- Logs: ip, port, username and password
- QHTTPProxyServer
- Server: HTTP Proxy
- Port: 8080
- Lib: Twisted
- Logs: ip, port and data
- QHTTPServer
- Server: HTTP
- Port: 80
- Lib: Twisted
- Logs: ip, port, username and password
- QHTTPSServer
- Server: HTTPS
- Port: 443
- Lib: Twisted
- Logs: ip, port, username and password
- QIMAPServer
- Server: IMAP
- Port: 143
- Lib: Twisted
- Logs: ip, port, username and password
- QMysqlServer
- Emulator: Mysql
- Port: 3306
- Lib: Twisted
- Logs: ip, port, username and password
- QPOP3Server
- Server: POP3
- Port: 110
- Lib: Twisted
- Logs: ip, port, username and password
- QPostgresServer
- Emulator: Postgres
- Port: 5432
- Lib: Twisted
- Logs: ip, port, username and password
- QRedisServer
- Emulator: Redis
- Port: 6379
- Lib: Twisted
- Logs: ip, port, username and password
- QSMBServer
- Server: Redis
- Port: 445
- Lib: impacket
- Logs: ip, port and username
- QSMTPServer
- Server: SMTP
- Port: 25
- Lib: smtpd
- Logs: ip, port, username and password
- QSOCKS5Server
- Server: SOCK5
- Port: 1080
- Lib: socketserver
- Logs: ip, port, username and password
- QSSHServer
- Server: SSH
- Port: 22
- Lib: paramiko
- Logs: ip, port, username and password
- QTelnetServer
- Server: Telnet
- Port: 23
- Lib: Twisted
- Logs: ip, port, username and password
- QVNCServer
- Emulator: VNC
- Port: 5900
- Lib: Twisted
- Logs: ip, port, username and password
- QMSSQLServer
- Emulator: MSSQL
- Port: 1433
- Lib: Twisted
- Logs: ip, port, username and password or hash
- QElasticServer
- Emulator: Elastic
- Port: 9200
- Lib: http.server
- Logs: ip, port and data
- QLDAPServer
- Emulator: LDAP
- Port: 389
- Lib: Twisted
- Logs: ip, port, username and password
- QNTPServer
- Emulator: NTP
- Port: 123
- Lib: Twisted
- Logs: ip, port and data
- QMemcacheServer
- Emulator: Memcache
- Port: 11211
- Lib: Twisted
- Logs: ip, port and data
- QOracleServer
- Emulator: Oracle
- Port: 1521
- Lib: Twisted
- Logs: ip, port and connet data
- QSNMPServer
- Emulator: SNMP
- Port: 161
- Lib: Twisted
- Logs: ip, port and data
acknowledgement
- By using this framework, you are accepting the license terms of all these packages:
pipenv twisted psutil psycopg2-binary dnspython requests impacket paramiko redis mysql-connector pycryptodome vncdotool service_identity requests[socks] pygments http.server - Let me know if I missed a reference or resource!
Some Articles
securityonline <https://securityonline.info/honeypots-16-honeypots-in-a-single-pypi-package/>_
Notes
- Almost all servers and emulators are stripped-down - You can adjust that as needed
Other projects
.. image:: https://raw.githubusercontent.com/qeeqbox/.github/main/data//social-analyzer.png :target: https://github.com/qeeqbox/social-analyzer
.. image:: https://raw.githubusercontent.com/qeeqbox/.github/main/data//analyzer.png :target: https://github.com/qeeqbox/analyzer
.. image:: https://raw.githubusercontent.com/qeeqbox/.github/main/data//chameleon.png :target: https://github.com/qeeqbox/chameleon
.. image:: https://raw.githubusercontent.com/qeeqbox/.github/main/data//osint.png :target: https://github.com/qeeqbox/osint
.. image:: https://raw.githubusercontent.com/qeeqbox/.github/main/data//url-sandbox.png :target: https://github.com/qeeqbox/url-sandbox
.. image:: https://raw.githubusercontent.com/qeeqbox/.github/main/data//mitre-visualizer.png :target: https://github.com/qeeqbox/mitre-visualizer
.. image:: https://raw.githubusercontent.com/qeeqbox/.github/main/data//woodpecker.png :target: https://github.com/qeeqbox/woodpecker
.. image:: https://raw.githubusercontent.com/qeeqbox/.github/main/data//docker-images.png :target: https://github.com/qeeqbox/docker-images
.. image:: https://raw.githubusercontent.com/qeeqbox/.github/main/data//seahorse.png :target: https://github.com/qeeqbox/seahorse
.. image:: https://raw.githubusercontent.com/qeeqbox/.github/main/data//rhino.png :target: https://github.com/qeeqbox/rhino
FAQs
30 different honeypots in one package! (dhcp, dns, elastic, ftp, http proxy, https proxy, http, https, imap, ipp, irc, ldap, memcache, mssql, mysql, ntp, oracle, pjl, pop3, postgres, rdp, redis, sip, smb, smtp, snmp, socks5, ssh, telnet, vnc)
We found that honeypotsjkdb demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Engineering with AI Podcast: The Promise of AI-First Development
Socket CTO Ahmad Nassri shares practical AI coding techniques, tools, and team workflows, plus what still feels noisy and why shipping remains human-led.
By Sarah Gooding - Dec 24, 2025
Research
/Security News
Spearphishing Campaign Abuses npm Registry to Target U.S. and Allied Manufacturing and Healthcare Organizations
A five-month operation turned 27 npm packages into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in, targeting 25 organizations across manufacturing, industrial automation, plastics, and healthcare for credential theft.
By Nicholas Anderson, Kirill Boychenko - Dec 23, 2025