Which versions of aurapro-ui are malicious?

The following PyPI versions of aurapro-ui are flagged malicious: 3.2.5, 3.4.15. Treat any of these as compromised.

How do I remediate aurapro-ui if I installed it?

Remove aurapro-ui from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is aurapro-ui part of a known attack campaign?

Yes — aurapro-ui is associated with the IN-MAL-2026-003289, IN-MAL-2026-006203 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect aurapro-ui in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking aurapro-ui and packages like it before any post-install script runs.

Malicious package

aurapro-uiPyPI

Malicious code in aurapro-ui (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-4742

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall aurapro-ui

What this malware does

The PyPI package aurapro-ui installs its code under the Python import namespace open_webui/ and registers two console scripts in entry_points.txt — aurapro-ui and open-webui — both pointing at open_webui.cli:app. Installing aurapro-ui on a system that has (or later receives) the legitimate open-webui package causes silent module-import and CLI-binary collisions: import open_webui and the open-webui shell command resolve to whichever package was installed last, with no warning to the operator. Package metadata compounds the deception: Author-email is set to Timothy Jaeryang Baek <[email protected]> (the maintainer of the unrelated upstream Open WebUI project), and the README is a search-and-replace rebrand of the upstream README still linking to docs.openwebui.com, openwebui.com, and the upstream Discord, despite aurapro-ui having no documented relationship to that project. The current 3.2.5 payload appears to be a rebrand of the upstream code with no exfiltration or RCE at import time, but the namespace foothold + falsified authorship establish staging for a future malicious update to silently replace the real open_webui module and open-webui CLI on any machine that installed aurapro-ui.

Malicious versions

2 flagged

3.2.53.4.15

Indicators of compromise (SHA-256)

cace553d74971e3660a0a7095662488f531348ba3e756696da5ff0ef9645ab22

ccee51c0781c2bba026520047f5f365ba3f12716f464339265c48259a3a3cd15

Frequently asked questions

No. aurapro-ui on PyPI has been identified as a malicious package (versions 3.2.5, 3.4.15 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-003289IN-MAL-2026-006203

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection