Malicious package with a chain of multiple manual dependencies to finally download malicious code. During import, it manually downloads a dependency from GitHub repository "Hexa-devy/netflow-utils", which then attempts to download "codexio-boop/platform_syslib". The last one contains obfuscated code that during installation connects with node22.lunes[.]host:3258 and downloads encrypted payload. The payload is executed, and it then starts another loop of connections to node22.lunes[.]host:22240 and awaits next payloads to execute. During analysis, this stage did not deliver any payload. On every stage, short-living generated tokens are used.

---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-requests-enhancer

Reasons (based on the campaign):

• backdoor

• The package overrides the install command in setup.py to execute malicious code during installation.

• obfuscation

• The malicious code is intentionally included in a dependency of the package

• The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.