MAL-2026-6076

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (3a6a09e52477106b9586e89c2b0207bdc51e6d22dad500b7cc12a424d684c35b) On `import pystylish`, the package's __init__.py spawns a daemon thread that downloads a Windows executable from https://goy.mikoz.xyz/boh3.exe, writes it to %TEMP%/vcredist_x86.exe (disguised as the Microsoft Visual C++ runtime installer), and executes it via subprocess.Popen. The domain is unrelated to the package's stated purpose (a terminal color/fade library) and is not a publisher-controlled host. To evade local DNS controls, the loader resolves the C2 domain through DNS-over-HTTPS (Cloudflare 1.1.1.1/dns-query and dns.google/resolve), then connects to the resolved IP with a manual Host header so /etc/hosts entries and sinkholes are bypassed. Error paths print a fake `Failed to connect to discord.com:80` message regardless of the actual destination, providing cover for the unrelated outbound traffic. The package is a typosquat/clone of the legitimate `pystyle` library by billythegoat356 — README still points at `github.com/billythegoat356/pystyle` while the package is published under the name `pystylish`, and the library API is copied verbatim from pystyle with the dropper appended. Any developer who installs and imports pystylish (including transitively) will silently fetch and run an attacker-controlled binary on Windows.

## Source: kam193 (f8318d882352a4515c0598fc728a7609874502d0e42f98a8f47214307d07aec8) Clone of a legitimate package. During import, the code downloads and executes a malicious executable.

---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-pystylish

Reasons (based on the campaign):

- Downloads and executes a remote executable.

- malware

- clones-real-package