A familiar Python backdoor is being repackaged as loadable extension modules, a move that can make source-based inspection harder and push defenders toward behavior-first detection.