Which versions of callistopy are malicious?

The following PyPI versions of callistopy are flagged malicious: 0.1.0, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.3.91. Treat any of these as compromised.

How do I remediate callistopy if I installed it?

callistopy is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed callistopy — how do I know if it already compromised me?

If callistopy was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is callistopy part of a known attack campaign?

Yes — callistopy is associated with the 2025-07-callistopy campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find callistopy across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for callistopy (6 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging callistopy across your stack and pipelines.

Malicious package

callistopyPyPI

Malicious code in callistopy (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-191698

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall callistopy

What this malware does

Package creates a telegram client which silently exfiltrate user's Telegram data, including sessions and configuration, to a hardcoded remote target

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-07-callistopy

Reasons (based on the campaign):

exfiltration-generic
action-hidden-in-lib-usage

Malicious versions

6 flagged

0.1.00.3.60.3.70.3.80.3.90.3.91

Indicators of compromise (SHA-256)

05903f6620a9a90223a2ddbde2778406a7c0a5bdb00f26bc9bfc1e64c222da36

c45e190afdbbb8d4b817c50734f8b01bc3bec65978141d4070ca2ec60be6b061

0cb577524e38c4e85b0d6a70e842cb3fa229f5fdbc6a4bb5a9aee0cdffab9f8b

2a7c079512721b2f20210ce945a335e6c742f9606c12ab101dfa78b4e688e6e5

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for callistopy (6 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging callistopy across your stack and pipelines.
If you installed it — respond
callistopy is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If callistopy was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks callistopy before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. callistopy on PyPI has been identified as a malicious package (versions 0.1.0, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.3.91 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

2025-07-callistopy

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193)

Detect & block this

O3 blocks callistopy-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring