goodoltoulas @0.1.0

Summary

On pip install goodoltoulas , setup.py unconditionally invokes setup_helper(), which downloads an opaque PE binary from an anonymous file-hosting service (storage.filebin.net) into C:\MALWARE_DELETE\main.exe and launches it via subprocess.Popen with CREATE_NEW_CONSOLE. There is no hash check, signature verification, or version pinning, and the host is unrelated to any package publisher. The library surface is a thin decoy: __init__.py forwards all attribute access to the requests module and the README advertises 'A simple request cloner for Python', providing cover for the install-time dropper. The drop path uses a self-incriminating directory name (C:\MALWARE_DELETE) and the response carries application/vnd.microsoft.portable-executable, confirming hostile intent. Any Windows installer running pip install will execute attacker-controlled code immediately.

Source: amazon-inspector (98a84d10e07878c98ffa21b3920940b10ffac4d3cdd66250c046391ea502aaff)