Which versions of amino.fix are malicious?

The following PyPI versions of amino.fix are flagged malicious: 2.1.8. Treat any of these as compromised.

How do I remediate amino.fix if I installed it?

amino.fix is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed amino.fix — how do I know if it already compromised me?

If amino.fix was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is amino.fix part of a known attack campaign?

Yes — amino.fix is associated with the IN-MAL-2026-002585 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find amino.fix across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for amino.fix (version 2.1.8). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging amino.fix across your stack and pipelines.

Malicious package

amino.fixPyPI

Malicious code in amino-fix (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-3686

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall amino.fix

What this malware does

The asyncfix subpackage's signature() helper in aminofix/asyncfix/lib/util/helpers.py (lines 22-25) does not compute the NDC-MSG-SIG locally. Instead, every JSON request body is sent as a query string to http://aminoed.uk.to/api/generator/ndc-msg-sig?data={data} over unencrypted HTTP. This helper is invoked by every authenticated endpoint of the library, including client.login(email, password) — the advertised primary function. As a result, any caller using the async API silently transmits the end-user's plaintext email and password (and all other request bodies) as URL query parameters to aminoed.uk.to, a free .uk.to subdomain unrelated to the real Amino service (service.narvii.com). This is a textbook silent-relay: a hardcoded third-party destination embedded in public API code that exfiltrates caller-supplied credentials without disclosure, over plaintext HTTP with no TLS. A secondary import-time version-check against pypi.org is benign (data-only, printed to stdout) and not a dropper, but is noted as an unrelated quality issue.

Malicious versions

1 flagged

2.1.8

Indicators of compromise (SHA-256)

807db606fec148f1acf0e1ddb4ec2e0a68ba672bb8e5641f9eefd0d425f30a44

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for amino.fix (version 2.1.8). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging amino.fix across your stack and pipelines.
If you installed it — respond
amino.fix is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If amino.fix was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks amino.fix before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. amino.fix on PyPI has been identified as a malicious package (version 2.1.8 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-002585

References

pypi.org

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks amino.fix-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring