ReversingLabs identified the VMConnect PyPI supply-chain campaign, in which 24 malicious packages impersonated popular Python modules such as vConnector, eth-tester, and databases while publishing linked GitHub projects that omitted the malicious code. The packages implemented enough legitimate functionality to deceive developers, but VMConnect’s __init__.py decoded and executed Base64-obfuscated code in a separate process. The payload built a host-specific C2 URL, repeatedly polled the live server for additional Base64-encoded commands, and could execute follow-on code if the operator selected the host. The campaign shows a more deliberate open-source repository abuse pattern than simple typosquatting because the malicious PyPI releases were paired with benign-looking project infrastructure.