Which versions of akatest are malicious?

The following PyPI versions of akatest are flagged malicious: 0.2, 0.3, 0.4. Treat any of these as compromised.

How do I remediate akatest if I installed it?

akatest is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed akatest — how do I know if it already compromised me?

If akatest was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is akatest part of a known attack campaign?

Yes — akatest is associated with the RLMA-2025-01196, GENERIC-standard-pypi-install-pentest, RLUA-2026-00051 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find akatest across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for akatest (3 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging akatest across your stack and pipelines.

Malicious package

akatestPyPI

Malicious code in akatest (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-1961

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall akatest

What this malware does

Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose.

Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.

Campaign: GENERIC-standard-pypi-install-pentest

Reasons (based on the campaign):

The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.
The package overrides the install command in setup.py to execute malicious code during installation.

Malicious versions

3 flagged

0.20.30.4

Indicators of compromise (SHA-256)

fb2f7aa8c6a4ccc9ee0dc182bb960f9e6850ecedc358c21b2beb39d5ccbb3c83

358feeacf0c08b281899b5c35ce6b74a1d56bc3ae90d83a84f0101944cd96e1b

85ef10e21c20c3c7e5e453a0708a581cb88d8f37961da7c93af948848756fd3d

27dade3f3b8cda7fd856dc45e69fb17f279fdac3f107862ad85586e08ffa184b

00b2131a75f5a6e4995e576c034582612fc83c9596589e21b30f2e8e99c56b23

0536cdcda07b0f4acf862d795de9eb78342dc1ec2231d202992f4e6ec6415c42

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for akatest (3 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging akatest across your stack and pipelines.
If you installed it — respond
akatest is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If akatest was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks akatest before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. akatest on PyPI has been identified as a malicious package (versions 0.2, 0.3, 0.4 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2025-01196GENERIC-standard-pypi-install-pentestRLUA-2026-00051

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks akatest-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring