-= Per source details. Do not edit below this line.=-
The typosquatted package installs a Mythic/Poseidon C2 framework beacon and ensures persistence. After installation, the beacon communicates with C2 on wegoexchange[.]site for further commands.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-07-tennacity
Reasons (based on the campaign):
typosquatting
Downloads and executes a remote executable.
The package contains code to detect if it is running in a sandbox environment.
malware
persistence
{
"iocs": {
"domains": [
"wegoexchange.site",
"easyswapnow.pro",
"easyswasnow.pro"
],
"urls": [
"https://easyswapnow.pro/downloads/lix_amd.bin",
"https://easyswapnow.pro/downloads/lix_arm.bin",
"https://easyswapnow.pro/downloads/mac_amd.bin",
"https://easyswapnow.pro/downloads/mac_arm.bin",
"https://easyswasnow.pro/downloads/lix_amd.bin",
"https://easyswasnow.pro/downloads/lix_arm.bin",
"https://easyswasnow.pro/downloads/mac_amd.bin",
"https://easyswasnow.pro/downloads/mac_arm.bin",
"https://drive.google.com/uc?export=download&id=1d4zF8lnDaYCgzRrEx3WCyLTFZXVD2QBF&confirm=t",
"http://wegoexchange.site/data"
]
},
"malicious-packages-origins": [
{
"sha256": "b01e8dfbdf9823541eee73bd52086cac9e0ea70246992afe74873372b5d6a293",
"versions": [
"0.7.8"
],
"source": "kam193",
"id": "pypi/2026-07-tennacity/pylogora",
"modified_time": "2026-07-15T17:30:11.232386Z",
"import_time": "2026-07-15T17:59:58.799412181Z"
}
]
}