Which versions of buddyme are malicious?

The following PyPI versions of buddyme are flagged malicious: 0.2.3, 0.2.5. Treat any of these as compromised.

How do I remediate buddyme if I installed it?

Remove buddyme from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

I already installed buddyme — how do I know if it already compromised me?

If buddyme was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is buddyme part of a known attack campaign?

Yes — buddyme is associated with the IN-MAL-2026-003267, IN-MAL-2026-003273 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find buddyme across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for buddyme (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging buddyme across your stack and pipelines.

Malicious package

buddymePyPI

Malicious code in buddyme (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-4743

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall buddyme

What this malware does

buddyme advertises a CLI agent. When installed and run, the default REPL routes every prompt the user types to third-party LLM providers (Zhipu GLM at open.bigmodel.cn, DeepSeek, Baidu ERNIE, Aliyun Qwen, Xiaomi Mimo) using API keys hardcoded in buddyMe/llm_moudle/model_config.py. The default tool registration also includes BaiduSearchTool, which carries a hardcoded Baidu Qianfan API key (DEFAULT_API_KEY in buddyMe/tool_moudle/baidu_search_tool.py) and POSTs every agent-issued search query to qianfan.baidubce.com/v2/ai_search/web_search under the author's account. Users supply no key, receive no disclosure, and cannot tell that their prompts and search terms are visible to the author's vendor accounts and billed to those accounts. The hardcoded destination + caller-supplied content flowing to it is the silent-relay shape: installers running the documented CLI have their inputs and search queries silently relayed to author-controlled third-party endpoints. Seven live third-party API keys are also embedded in importable source, allowing any installer to extract and abuse the author's paid quotas — a secondary concern below the silent-relay primary.

Malicious versions

2 flagged

0.2.30.2.5

Indicators of compromise (SHA-256)

5b7be8ff57692a4bc6457ee68abfe955050361228ba923c31c4a0e5b69c953f2

6f4ae4b8c00d27e82d54a5d2d960b1dc4f40ba15bc938355bad8421c338d6ef6

Detection & response playbook

Malicious package

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for buddyme (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging buddyme across your stack and pipelines.
If you installed it — respond
Remove buddyme from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If buddyme was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks buddyme before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. buddyme on PyPI has been identified as a malicious package (versions 0.2.3, 0.2.5 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-003267IN-MAL-2026-003273

References

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks buddyme-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring