Vipyr Security analyzed malicious PyPI uploads by the user real-ids that placed payloads in os.py files inside typosquatted Python packages. The campaign targeted Linux systems, downloaded an x86_64 ELF remote access tool from domains such as arcashop[.]org or pypi[.]online, and used jdkgradle[.]com for command-and-control. The RAT supported beaconing, file upload and download, command execution, and command polling over libcurl-based HTTPS requests using custom parameters and XOR-encoded payload handling. The listed IOCs include /home/*/oshelper, /tmp/xweb_log.md, a SHA-256 hash for the ELF payload, and the domains pypi[.]online, arcashop[.]org, and jdkgradle[.]com. The report matters for software-supply-chain defense because the initial delivery abused the Python Package Index and package-name typos to reach developer environments.