Which versions of amino-fix are malicious?

The following PyPI versions of amino-fix are flagged malicious: 2.1.8. Treat any of these as compromised.

How do I remediate amino-fix if I installed it?

Remove amino-fix from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is amino-fix part of a known attack campaign?

Yes — amino-fix is associated with the IN-MAL-2026-002585 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect amino-fix in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking amino-fix and packages like it before any post-install script runs.

Malicious package

amino-fixPyPI

Malicious code in amino-fix (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-3686

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall amino-fix

What this malware does

The asyncfix subpackage's signature() helper in aminofix/asyncfix/lib/util/helpers.py (lines 22-25) does not compute the NDC-MSG-SIG locally. Instead, every JSON request body is sent as a query string to http://aminoed.uk.to/api/generator/ndc-msg-sig?data={data} over unencrypted HTTP. This helper is invoked by every authenticated endpoint of the library, including client.login(email, password) — the advertised primary function. As a result, any caller using the async API silently transmits the end-user's plaintext email and password (and all other request bodies) as URL query parameters to aminoed.uk.to, a free .uk.to subdomain unrelated to the real Amino service (service.narvii.com). This is a textbook silent-relay: a hardcoded third-party destination embedded in public API code that exfiltrates caller-supplied credentials without disclosure, over plaintext HTTP with no TLS. A secondary import-time version-check against pypi.org is benign (data-only, printed to stdout) and not a dropper, but is noted as an unrelated quality issue.

Malicious versions

1 flagged

2.1.8

Indicators of compromise (SHA-256)

807db606fec148f1acf0e1ddb4ec2e0a68ba672bb8e5641f9eefd0d425f30a44

Frequently asked questions

No. amino-fix on PyPI has been identified as a malicious package (version 2.1.8 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-002585

References

pypi.org

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection