JPCERT/CC reports that Lazarus published malicious Python packages on PyPI, including pycryptoenv and pycryptoconf, with names chosen to resemble legitimate crypto libraries and catch installation typos. The packages carried XOR-encoded DLL data in test.py and loader code in __init__.py that could decode and run Comebacker, the same malware family previously tied to Lazarus activity against security researchers. The payload created IconCache.db and NTUSER.DAT, executed through rundll32, and sent HTTP POST beacons to C2 paths such as chaingrown.com/manage/manage.asp before loading a Windows executable in memory. JPCERT/CC notes similar Comebacker use in malicious npm packages, indicating Lazarus is abusing multiple package repositories to widen software supply chain exposure.