The package's top-level fluent_panel_metrics/init.py defines _bootstrap_runtime_profile() and unconditionally invokes it at import. The function opens a TCP socket to 34.69.137.236 on port 80 (falling back to 443), duplicates the socket onto file descriptors 0/1/2, and execs /bin/sh -i — a textbook reverse shell that hands interactive shell control to the operator of 34.69.137.236 on any machine that imports the package (directly or transitively). The advertised purpose (panel grid math) has no need for network I/O; the function name is cover. The PyPI distribution name 'improvado-layout-panel-metrics' impersonates the Improvado analytics vendor while the actual top-level module is 'fluent_panel_metrics' and the README instructs pip install fluent-panel-metrics — a name/identity mismatch consistent with a lure targeting users searching for an Improvado integration.

During import, the package starts a reverse shell.

---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-acme-widget-layout-utils

Reasons (based on the campaign):

• The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine.

The OpenSSF Package Analysis project identified 'improvado-layout-panel-metrics' @ 0.1.1 (pypi) as malicious.

It is considered malicious because:

• The package executes one or more commands associated with malicious behavior.