Anki Opens Many Connections via Loopback?

I ran netstat and noticed anki opens no fewer than 20 connections via the loopback (127.0.0.1) on several ports. Is this normal behavior?

I downloaded a card deck from someone online as a study aid. Has anki ever been used as a vehicle for malicious software in the past?

That is normal - a local connection is required for Anki’s web frontend to communicate with Anki’s backend.

There has been one instance of a malicious add-on in the past, but I’m not aware of any malicious shared decks, and they do not have the level of access that add-ons do.