On pip install boardflow, setup.py spawns a background thread that fetches http://pooron.org/test.exe over plain HTTP into the OS temp directory and executes it via subprocess.Popen with shell=True, suppressing stdout/stderr. The destination domain is unrelated to the package's advertised purpose (a CLI Kanban tool), the URL is unpinned and unverified (no hash, no signature, plain HTTP allowing MITM tampering), and the fetched.exe is attacker-controlled content executed with the privileges of the installing user. This is a classic install-time dropper that yields arbitrary remote code execution on every installer's machine.

During installation, package downloads and executes a remote executable identified as infostealer. The executable contains a VSCode extension with a modified code variant that during initialization downloads and executes a JS script from hardcoded location. During analysis, the script was inaccessible.

---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-boardflow

Reasons (based on the campaign):

• infostealer

• The package overrides the install command in setup.py to execute malicious code during installation.

• Downloads and executes a remote executable.

• malware