ReversingLabs identified three malicious PyPI packages, tablediter, request-plus, and requestspro, as a continuation of the VMConnect supply-chain campaign with links to Labyrinth Chollima, a Lazarus Group offshoot. The packages impersonated popular Python libraries such as prettytable and requests, using mimicry, copied metadata, and modified package code to reach developers. Tablediter delayed execution until a commonly used add_row function was called, then decoded XOR/hex-obfuscated code that contacted attacker C2 for further commands. Request-plus and requestspro modified requests internals to collect host data, POST it to C2, retrieve a token, and fetch a double-encrypted Python module likely used to download the next stage. The campaign matters because it shows North Korea-linked actors continuing to abuse open-source ecosystems while reducing dynamic-analysis visibility by avoiding immediate install-time execution.