Which versions of cblines are malicious?

The following PyPI versions of cblines are flagged malicious: 0.0.1. Treat any of these as compromised.

How do I remediate cblines if I installed it?

cblines is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed cblines — how do I know if it already compromised me?

If cblines was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is cblines part of a known attack campaign?

Yes — cblines is associated with the RLMA-2024-10996, 2024-08-embeds-RealtekHDAudioManager, RLUA-2026-00180 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find cblines across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for cblines (version 0.0.1). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging cblines across your stack and pipelines.

Malicious package

cblinesPyPI

Malicious code in cblines (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2024-11550

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall cblines

What this malware does

Importing a module starts downloading and executing an infostealer, widely identified by AV/sandboxes.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2024-08-embeds-RealtekHDAudioManager

Reasons (based on the campaign):

infostealer
Downloads and executes a remote executable.

Malicious versions

1 flagged

0.0.1

Indicators of compromise (SHA-256)

bbd9f4d1a5218f9da291175923d03076d2a007f025bc68e22b1fb31b68048648

3afc6650cbae084dbae91f82974a0d8def863cea2c6371ce458a6804ec6b8007

80531e39cd96b75b32c7549840f7bc6984377765d9f9f663c0b560332b4e1b84

fc64c42efe323b7912ab022a3368320c5b44491099efbda4eef5f8b8fe5ac163

65646b9ac3f166d86d943c9ff6559b6207189688bb693292b54233cdf3ea7136

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for cblines (version 0.0.1). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging cblines across your stack and pipelines.
If you installed it — respond
cblines is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If cblines was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks cblines before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. cblines on PyPI has been identified as a malicious package (version 0.0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2024-109962024-08-embeds-RealtekHDAudioManagerRLUA-2026-00180

References

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks cblines-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring