What does the brrerrere malware do?

Installing the package starts an infostealer Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2023-12-fefeefrrg Reasons (based on the campaign): - infostealer - The package overrides the install command in setup.py to execute malicious code during installation. - exfiltration-generic - exfiltration-browser-data - The package contains code to detect if it is running in a sandbox environment.

Which versions of brrerrere are malicious?

The following PyPI versions of brrerrere are flagged malicious: 1.0. Treat any of these as compromised.

How do I remediate brrerrere if I installed it?

brrerrere is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed brrerrere — how do I know if it already compromised me?

If brrerrere was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is brrerrere part of a known attack campaign?

Yes — brrerrere is associated with the RLMA-2024-03614, RLUA-2024-07896, 2023-12-fefeefrrg, RLUA-2026-00159 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find brrerrere across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for brrerrere (version 1.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging brrerrere across your stack and pipelines.

Malicious package

brrerrerePyPI

Malicious code in brrerrere (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2024-4834

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall brrerrere

What this malware does

Installing the package starts an infostealer

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2023-12-fefeefrrg

Reasons (based on the campaign):

infostealer
The package overrides the install command in setup.py to execute malicious code during installation.
exfiltration-generic
exfiltration-browser-data
The package contains code to detect if it is running in a sandbox environment.

Malicious versions

1 flagged

1.0

Indicators of compromise (SHA-256)

ee2f37a564a3b35e2011c434df127218f302bae7a0e802321f038b03fd1cdcf7

bcdf24ea085cf920a2eb4bfa968219eeaa09f4a5ac487d444bc7c824400c3bda

5ce79ff0640d51338e3e5e0844cd39bf833ba6a1a82398bf23d4d6be8dc9c948

bbd947456326518e8c61c9de4304c1730cd37cb7b7cc936f9d4880cd8417f086

7832dc794aafc59a35555c18ac2bbbbaebf2c25f81a6a69ae5b9d64a1a109cb0

7ff1c72d2f74585035c62d44d216e41f18fe37e1f68f8e5a0599b8fea853ed10

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for brrerrere (version 1.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging brrerrere across your stack and pipelines.
If you installed it — respond
brrerrere is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If brrerrere was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks brrerrere before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. brrerrere on PyPI has been identified as a malicious package (version 1.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2024-03614RLUA-2024-078962023-12-fefeefrrgRLUA-2026-00159

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks brrerrere-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring