so i'm guessing something like this would be caught by (open\|little)snitch. the raw c2 post coming from the python process would definitely be a red herring, but i wonder how obvious the git/github activity would be. it would seem kinda weird if it came from the python process itself, but if it were just git or gh in a subprocess, it would possibly look totally normal and even have a temporary allow rule in place...

maybe it's time for a nextgen opensnitch where the rules table is replaced by an active agent that watches connections and the process table?