Which versions of 0x000testqwe are malicious?

The following PyPI versions of 0x000testqwe are flagged malicious: 5.20.4. Treat any of these as compromised.

How do I remediate 0x000testqwe if I installed it?

0x000testqwe is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed 0x000testqwe — how do I know if it already compromised me?

If 0x000testqwe was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is 0x000testqwe part of a known attack campaign?

Yes — 0x000testqwe is associated with the RLMA-2025-03512, GENERIC-standard-pypi-install-pentest, RLUA-2026-00034 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find 0x000testqwe across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for 0x000testqwe (version 5.20.4). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging 0x000testqwe across your stack and pipelines.

Malicious package

0x000testqwePyPI

Malicious code in 0x000testqwe (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-6428

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall 0x000testqwe

What this malware does

Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose.

Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.

Campaign: GENERIC-standard-pypi-install-pentest

Reasons (based on the campaign):

The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.
The package overrides the install command in setup.py to execute malicious code during installation.

Malicious versions

1 flagged

5.20.4

Indicators of compromise (SHA-256)

857900c14f46e276624dec01a3bfd3a618ad3217892ae6b5f4f56144ba091364

72847c66ad827a7d37038b8135dfcca41138a4b618fc4840102e39696cfba0b2

4c1f4407cfafbdc3391f55d6b0c6c7344e0e87cfc42f7eb6dfdd9239a82433b7

4d79c8c8b3a7abebe3b8625236f64127816faa4386ece2fff48296e2ad1d828f

78774f61140eaaf71ed3ef79e6b56a2e1dd143e9d653026c05ad90cc3c4bbe7f

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for 0x000testqwe (version 5.20.4). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging 0x000testqwe across your stack and pipelines.
If you installed it — respond
0x000testqwe is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If 0x000testqwe was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks 0x000testqwe before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. 0x000testqwe on PyPI has been identified as a malicious package (version 5.20.4 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2025-03512GENERIC-standard-pypi-install-pentestRLUA-2026-00034

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks 0x000testqwe-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring