natazxPyPI

On import natazx, the package's top-level code executes several installer-hostile actions without consent: (1) it unconditionally overwrites the host's DNS configuration at /etc/resolv.conf (and the Termux equivalent) to point at 1.1.1.1/1.0.0.1 with aggressive timeouts — a system-wide change affecting every process on the host; (2) it runs pkill -9 tor and spawns a detached Tor daemon via start_new_session=True using a torrc written to /tmp/torrc, establishing a process that outlives the Python interpreter; (3) it shells out to pip install for five unpinned packages (colorama, requests, pycryptodome, urllib3, cfonts) bypassing declared dependencies (dependencies = [] in pyproject.toml), so the installer's environment is silently mutated with whatever the current PyPI releases are; (4) it fetches a JSON allowlist from a mutable GitHub main-branch ref (raw.githubusercontent.com/septianhdnatta/idd/refs/heads/main/device.json), builds a device fingerprint from serial number, build.prop, platform, uid, and timezone, and sys.exit(1)s if the installer's fingerprint is not on the author's list. The package's advertised function (main()) is a ToS-violating mass account-registration tool against Garena / Free Fire endpoints (100067.connect.garena.com, loginbp.ggblueshark.com, loginbp.common.ggbluefox.com) using hardcoded HMAC and AES-CBC keys, routed through 40 embedded HTTP proxy credentials on ten rotating IPs. The combination of import-time system-file destruction (resolv.conf overwrite), persistence (detached Tor daemon), silent environment mutation (unpinned pip installs), remote kill-switch (device-fingerprint allowlist on a mutable GitHub ref), and abuse-tool payload makes this package hostile to any environment in which it is installed.