MAL-2026-5271

--- _-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (5414e9956c915ef34d422d9eba09177fb667bba375c43e9d9b54d4f87b628712) During `pip install goodoldtoulas`, setup.py invokes setup_helper() which downloads main.exe from https://cold-eu-par-1.gofile.io/download/web/deb39e07-da2d-4081-a86b-6380e555788c/main.exe (anonymous file host) into C:\MALWARE_DELETE and executes it via os.system('main.exe') (setup.py lines 6, 21, 33). The fetch is unpinned, has no hash verification, the destination is an opaque Windows binary, the host is not the publisher's domain, and the staging path name is self-incriminating. Any installer running pip install of this package on Windows fetches and executes an attacker-controlled binary at install time.

## Source: kam193 (24dbb5643933ff305b2eab164e820476f645ef2b59ad7c7cdfdeb2c3c3bfb98f) During installation, package attempts to download and run an executable imitating malicious activity.

---

Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.

Campaign: 2026-06-goodoldtoulas

Reasons (based on the campaign):

- The package overrides the install command in setup.py to execute malicious code during installation.

- Downloads and executes a remote executable.