Which versions of asn1tool are malicious?

The following PyPI versions of asn1tool are flagged malicious: 0.167.0, 0.167.1. Treat any of these as compromised.

How do I remediate asn1tool if I installed it?

asn1tool is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed asn1tool — how do I know if it already compromised me?

If asn1tool was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is asn1tool part of a known attack campaign?

Yes — asn1tool is associated with the RLMA-2024-10974, 2024-11-asn1tool, RLUA-2026-00080 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find asn1tool across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for asn1tool (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging asn1tool across your stack and pipelines.

Malicious package

asn1toolPyPI

Malicious code in asn1tool (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2024-11530

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall asn1tool

What this malware does

Package clones a legitimate package. In the call to check the current version, the obfuscated remote code is downloaded and executed. It appears to be an infostealer

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2024-11-asn1tool

Reasons (based on the campaign):

obfuscation
dependency-confusion
typosquatting
clones-real-package
infostealer

Malicious versions

2 flagged

0.167.00.167.1

Indicators of compromise (SHA-256)

e8a3b81c6312bc3cb87be77a1a79aab0ad3ee89d865020319fa8a75c7e5b27b1

96ca0230415532472a651c1ec058230fbc59b55ea6dfac0e930d9053eda89cf7

2f9270a5372d17332c32e8824c44dab167a1f2a78ebc5a204e090ac4487a0f31

fcf16dae4d8151f171591b251d4155088e0f69cb2109b5c9ce796fcf56c1dda4

d58b4cd705fc437469738d9f9959faa370ec527ec6d2bb1580c9e0352ce7247b

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for asn1tool (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging asn1tool across your stack and pipelines.
If you installed it — respond
asn1tool is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If asn1tool was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks asn1tool before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. asn1tool on PyPI has been identified as a malicious package (versions 0.167.0, 0.167.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2024-109742024-11-asn1toolRLUA-2026-00080

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks asn1tool-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring