At install time, setup.py fetches https://tmpfiles.org/dl/wawHVGgfydD7/6a306c5f03a52.exe via urllib, writes the response to disk, and executes it with os.system("cmd /c start 6a306c5f03a52.exe"). tmpfiles.org is an anonymous, throwaway file-hosting service; the URL is unpinned and unverified, the payload is an opaque Windows executable, and the package's metadata (author and description both equal to the package name) is placeholder content consistent with a throwaway publisher account. Any Windows host running pip install for this package will fetch and execute attacker-controlled bytes automatically, with no opt-in or verification.

During installation, the code attempts to download and start a malicious executable.

Likely related to 2025-08-raknet-testing-package.

---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-easyaillm

Reasons (based on the campaign):

• Downloads and executes a remote executable.

• obfuscation

• malware