Which versions of bittensor-burn-watch are malicious?

The following PyPI versions of bittensor-burn-watch are flagged malicious: 1.2.0, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.9, 1.2.10, 1.2.11, 1.2.12, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4. Treat any of these as compromised.

How do I remediate bittensor-burn-watch if I installed it?

Remove bittensor-burn-watch from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is bittensor-burn-watch part of a known attack campaign?

Yes — bittensor-burn-watch is associated with the 2026-06-clip-logger, IN-MAL-2026-005454, IN-MAL-2026-005455, IN-MAL-2026-005456 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect bittensor-burn-watch in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking bittensor-burn-watch and packages like it before any post-install script runs.

Malicious package

bittensor-burn-watchPyPI

Malicious code in bittensor-burn-watch (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-5292

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall bittensor-burn-watch

What this malware does

Package advertises itself as a Bittensor subnet burn-rate monitor but bundles a live TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID in bittensor_burn_watch/defaults.env that the maintainer's own example file labels as 'Clipboard alerts (admin Telegram)' and notes 'Pip users get these automatically — they do not edit these themselves'. The Telegram chat ID is admin-controlled, so every installer's outbound alert traffic is routed to a destination the maintainer owns and the installer cannot see or change. All actual functionality lives in two Cython-compiled.so files (core.cpython-310-x86_64-linux-gnu.so 6.2 MB and burn_watch.*.so 2.3 MB); the only readable Python is a 107-byte init.py and a 77-byte main.py that re-export main from the compiled binary. With a python-xlib dependency on Linux providing X11 clipboard/selection access, the binary-only distribution prevents installers from auditing what data the package reads from their machine and sends to the maintainer's Telegram. Independently, defaults.env also ships a live third-party Taostats API key (tao-e9b3d1d9-...) to every installer, marked 'bundled; users never set this' — this both leaks the maintainer's own quota/billing identity and turns every install into a free proxy for that account. The combination of hardcoded maintainer-owned destination, 'clipboard alerts' framing in the maintainer's own documentation, advertised purpose (burn monitoring) that does not require clipboard access, and unreviewable compiled-binary logic constitutes a silent-relay supply-chain risk.

The package contains code to steal clipboard content to a predefined remote location. If run in the right way, the code will periodically check the clipboard and if the content matches the pattern, exfiltrates it. Early versions contain this behavior mentioned in the README. The targeted data are likely cryptocurrency secret seed phrases.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-clip-logger

Reasons (based on the campaign):

clipboard-stealing
crypto-related

Malicious versions

16 flagged

1.2.01.2.21.2.31.2.41.2.51.2.61.2.71.2.91.2.101.2.111.2.121.3.01.3.11.3.21.3.31.3.4

Indicators of compromise (SHA-256)

2d14823eef05f1b18d12e55b6d304d1752bd14f031fec2b118d7f6e41c11728e

98e0edb926b62e00e305dc5645c51c236e758c540b80f6b8342eb2e30f09ff39

fda53f5e1f6801ab6428db512a95f5ef80e088ea5fc7004a77042e29e8d0faaf

f638ddd895813aaf04513578baea50f1db2f3b30c942c3bbdafff09291c3c3d1

f87f652b9c515c72af5e8404a381465061ea6b109d3444e1afc14aae0bd8518f

ea0bf99f674df3306bc4ba5df47570c415de982776feed856e3bbc539c439cf7

9f53f90b2aba94c9979af9b01178c631fd63a7c072bf13a3c59d556ba514a46d

37d97a9ef438df1fa515bb24b5258267bc116057a0c8bcc25c4407ed0bfe477c

09280109d38329d198a20caa2a2da9af1f8db4147c48fc5343d52efab6f1ab00

0bb99d66a772f388538ea3eaef2262158c0d6b3160f25a292e96aeb8edb6c893

16180f1609731d35398f11dbfcb328826d2e39a7acf42fc256b563512645e6e5

Frequently asked questions

No. bittensor-burn-watch on PyPI has been identified as a malicious package (versions 1.2.0, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.9, and 8 more flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

2026-06-clip-loggerIN-MAL-2026-005454IN-MAL-2026-005455IN-MAL-2026-005456

References

Credits

Amazon Inspector · finder
Kamil Mańkowski (kam193) · reporter

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection