This analysis was performed using vet and SafeDep Cloud Malicious Package Analysis. Integrate with GitHub using vet-action GitHub Action.
The package downloads and executes an executable from a hardcoded URL, a common malware technique. High confidence it's malicious.
The package k7eel2-ss contains code that downloads and executes an executable file from a hardcoded URL (https://github.com/deprosinal/legendary-funicular/raw/refs/heads/main/helo.exe). This behavior is observed in both k7eel/__init__.py and k7eel/main.py. The downloaded file is saved as randar.exe and then executed using subprocess.run. Downloading and executing arbitrary executables is a common technique used by malware to install itself or download additional payloads. The use of shell=True in k7eel/__init__.py also introduces a potential command injection vulnerability, although the filename is hardcoded. This combination of behaviors strongly suggests that the package is malicious.