MAL-2026-5725

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (362011eafffa765e7f6c24df4ec2c7bb8f9fb6b6414570a5d193e6ea90e1250a) On import, src/dash_grid_normalizer/__init__.py calls _hydrate_remote_layout_profile(), which reassembles a payload from four string segments, base64-decodes and zlib-decompresses it, and passes the result to builtins.exec(). The decoded Python source imports os/socket/subprocess, connects a TCP socket to 43.69.137.236:80, dup2's stdin/stdout/stderr onto the socket, and execs /bin/sh — a standard reverse shell granting the operator of that IP interactive command execution as the installer's user. The C2 IP literal is itself further obfuscated as bytes([52,51,46,...]). The package's pyproject description ("Responsive grid and gutter helpers for dashboard widget layouts") and name are cover; the README self-identifies the project as a pentest probe with the reverse shell "LIVE CONFIRMED". Any process that does `import dash_grid_normalizer` (including transitive imports during test or build) opens the shell.

## Source: kam193 (b27c5f3eaf2e7f704830efee579b0a413695540736da93bc3219bfda4afecc79) During import, the package starts a reverse shell.

---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-acme-widget-layout-utils

Reasons (based on the campaign):

- The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine.