This detection rule identifies instances where a Python process loads unusual libraries from within a user's home directory. Such libraries are checked against standard extensions (.so or .dylib) and are flagged if they deviate from the expected naming conventions. The detection is based on behaviors observed in advanced persistent threat (APT) campaigns, specifically by groups such as Lazarus and Slow Pisces. The rule uses EQL (Event Query Language) to monitor library load events on macOS systems, analyzing factors like the file path and naming conventions of loaded libraries. Investigative steps are outlined to trace potential malicious activities, and response recommendations are provided for containing threats related to suspicious Python library loads.