Which versions of c8tks94kspjyhtb are malicious?

The following PyPI versions of c8tks94kspjyhtb are flagged malicious: 0.0.1, 0.0.2. Treat any of these as compromised.

How do I remediate c8tks94kspjyhtb if I installed it?

c8tks94kspjyhtb is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed c8tks94kspjyhtb — how do I know if it already compromised me?

If c8tks94kspjyhtb was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is c8tks94kspjyhtb part of a known attack campaign?

Yes — c8tks94kspjyhtb is associated with the RLMA-2025-02998, GENERIC-standard-pypi-install-pentest, RLUA-2026-00177 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find c8tks94kspjyhtb across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for c8tks94kspjyhtb (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging c8tks94kspjyhtb across your stack and pipelines.

Malicious package

c8tks94kspjyhtbPyPI

Malicious code in c8tks94kspjyhtb (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-5101

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall c8tks94kspjyhtb

What this malware does

Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose.

Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.

Campaign: GENERIC-standard-pypi-install-pentest

Reasons (based on the campaign):

The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.
The package overrides the install command in setup.py to execute malicious code during installation.

Malicious versions

2 flagged

0.0.10.0.2

Indicators of compromise (SHA-256)

c8dfe30d76b0ab23e1a899a6f267bef3bbb46c8f398f8d09e57c3fafd1eeef86

f13282e821e66935b42620d3c2e35051196260db8400941faeb4c0396d612a23

55ea5b13a1064ea6ada9f0d6ac879a6b269b476871734f578f6c097a5baa73f3

0b7271400a55d9616c71ad25527379c529ef27f467e5b163c57194b04eb78e50

01c67b2c5e51232402d175dc6a939ecd721782a2390e2aa9389420297011e4ec

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for c8tks94kspjyhtb (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging c8tks94kspjyhtb across your stack and pipelines.
If you installed it — respond
c8tks94kspjyhtb is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If c8tks94kspjyhtb was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks c8tks94kspjyhtb before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. c8tks94kspjyhtb on PyPI has been identified as a malicious package (versions 0.0.1, 0.0.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2025-02998GENERIC-standard-pypi-install-pentestRLUA-2026-00177

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks c8tks94kspjyhtb-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring