Malicious code in dash-grid-normalizer (PyPI)

---

__

Source: amazon-inspector (362011eafffa765e7f6c24df4ec2c7bb8f9fb6b6414570a5d193e6ea90e1250a)

On import, src/dash_grid_normalizer/init.py calls _hydrate_remote_layout_profile(), which reassembles a payload from four string segments, base64-decodes and zlib-decompresses it, and passes the result to builtins.exec(). The decoded Python source imports os/socket/subprocess, connects a TCP socket to 43.69.137.236:80, dup2's stdin/stdout/stderr onto the socket, and execs /bin/sh — a standard reverse shell granting the operator of that IP interactive command execution as the installer's user. The C2 IP literal is itself further obfuscated as bytes([52,51,46,...]). The package's pyproject description ("Responsive grid and gutter helpers for dashboard widget layouts") and name are cover; the README self-identifies the project as a pentest probe with the reverse shell "LIVE CONFIRMED". Any process that does import dash_grid_normalizer (including transitive imports during test or build) opens the shell.

Source: kam193 (b27c5f3eaf2e7f704830efee579b0a413695540736da93bc3219bfda4afecc79)

During import, the package starts a reverse shell.

---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-acme-widget-layout-utils

Reasons (based on the campaign):

• The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine.