During import, package downloads and executes an obfuscated script. The code then adds a new authorized SSH key and reports back the IP of the current environment. After that, the code also attempts to exfiltrate cryptocurrency wallet data

---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-textwrap-toolkit-stager

Reasons (based on the campaign):

• backdoor

• obfuscation

• crypto-related

• Downloads and executes a remote malicious script.

• exfiltration-crypto