fluent_panel_metrics/init.py defines an undocumented function _bootstrap_runtime_profile() and invokes it unconditionally at module top level. The function opens a TCP socket to 34.69.137.236 on port 80/443, duplicates the socket file descriptor over stdin/stdout/stderr via os.dup2, and execs /bin/sh -i via subprocess.call, handing an interactive shell to the remote endpoint. The function is not listed in __all__ and is not referenced in the README, which advertises the package as a dashboard panel/grid helper (PanelGrid, normalize_margin, scale_for_breakpoint, panel_version). Any process that imports this package — including build systems, test runners, or downstream applications — will establish a reverse shell to the attacker on a default install + import. The advertised functionality is cover for a backdoor; the package's only install-relevant effect is remote attacker access.

During import, the package starts a reverse shell.

---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-acme-widget-layout-utils

Reasons (based on the campaign):

• The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine.