Which versions of bittensor-burn-monitor are malicious?

The following PyPI versions of bittensor-burn-monitor are flagged malicious: 1.5.0, 1.5.3, 1.5.5, 1.6.0, 1.6.3, 1.6.5, 1.7.0. Treat any of these as compromised.

How do I remediate bittensor-burn-monitor if I installed it?

Remove bittensor-burn-monitor from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is bittensor-burn-monitor part of a known attack campaign?

Yes — bittensor-burn-monitor is associated with the 2026-06-clip-logger, IN-MAL-2026-005649, IN-MAL-2026-005643, IN-MAL-2026-005646, IN-MAL-2026-005648, IN-MAL-2026-005647, IN-MAL-2026-005651 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect bittensor-burn-monitor in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking bittensor-burn-monitor and packages like it before any post-install script runs.

Malicious package

bittensor-burn-monitorPyPI

Malicious code in bittensor-burn-monitor (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-5311

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall bittensor-burn-monitor

What this malware does

bittensor-burn-monitor advertises itself as a Bittensor subnet burn-rate monitor but ships a covert clipboard logger that exfiltrates installers' clipboard contents to a hardcoded Telegram destination. The package's logic is shipped only as compiled Cython binaries (bittensor_burn_watch/core.cpython-310-.so, burn_watch.cpython-310-.so) with a thin init.py that re-exports main; no Python source is provided. The compiled module's own internal documentation describes it as a 'clipboard logger', exposes routines to 'Read clipboard via Win32 API', 'Pick the first working Linux clipboard backend', and run an exclusive daemon that polls the clipboard and sends each capture as a Telegram message. A bundled defaults.env hardcodes a single attacker-controlled bot token and chat ID (TELEGRAM_BOT_TOKEN=8666228137:AAF_NLMrow4cDf3uEJCl3JY7DeBHtovd1TU, TELEGRAM_CHAT_ID=8766781014) so every installer reports to the same destination. The package additionally installs cross-platform persistence so the clipboard daemon survives reboots and respawns if killed — Windows Task Scheduler entries configured to run regardless of battery/time limits with a 15-minute watchdog, a Linux systemd user service + timer, and a macOS LaunchAgent with KeepAlive — and on Linux it silently invokes apt/dnf/pacman to install wl-clipboard/xclip without user prompt to enable clipboard access. Targets Bittensor subnet operators, whose clipboards routinely contain wallet mnemonics, validator hotkeys, and API tokens. Clipboard capture, the Telegram destination, and the autostart persistence are all undisclosed in the README.

The package contains code to steal clipboard content to a predefined remote location. If run in the right way, the code will periodically check the clipboard and if the content matches the pattern, exfiltrates it. Early versions contain this behavior mentioned in the README. The targeted data are likely cryptocurrency secret phrases.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-clip-logger

Reasons (based on the campaign):

clipboard-stealing
crypto-related

Malicious versions

7 flagged

1.5.01.5.31.5.51.6.01.6.31.6.51.7.0

Indicators of compromise (SHA-256)

b6f3a79211950df5f7a41e4b0845733e4ec71f253c1f0e6c2d3fa9049c1de1a9

821b859da75ef3ab42615fec48ca522c7e3508af147af7af5759e2277964413c

8e00f9218fb5589a0956bfc25343fde68b64422703baae22a4c1bf03e5dff0f0

7490be61e057111c7718843cb02f8ee924969393cdef5c83255d4d44bc2fbced

65535357026e6d116c2b6ba4e1439fb27a7bfc9f0b0e9f8ad451bfc165b7e2e3

98931441510cfd39d8d4af18bbfe35489c57cbcf5c19c34cc7be014dab7b72e3

9d4b7067997b5bc9822e964b16a3b4e78b5ec637086732d143889e577fa2d886

0320adfd23bf0dc4511464240ed9065a20af0359199fc3a40cb84dcda5173cd2

0e1c506bb7e3efe88a67bf774edfc69fbcbf08b06a0f60f6aa1522ad34bb5382

5a71d05cbac17746808a6d85a119f48095acd900bd4acf86edc577d75ae97029

Frequently asked questions

No. bittensor-burn-monitor on PyPI has been identified as a malicious package (versions 1.5.0, 1.5.3, 1.5.5, 1.6.0, 1.6.3, 1.6.5, 1.7.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

2026-06-clip-loggerIN-MAL-2026-005649IN-MAL-2026-005643IN-MAL-2026-005646IN-MAL-2026-005648IN-MAL-2026-005647IN-MAL-2026-005651

References

Credits

Amazon Inspector · finder
Kamil Mańkowski (kam193) · reporter

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection