Which versions of chromifypro are malicious?

The following PyPI versions of chromifypro are flagged malicious: 1.0.0, 1.0.1. Treat any of these as compromised.

How do I remediate chromifypro if I installed it?

chromifypro is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed chromifypro — how do I know if it already compromised me?

If chromifypro was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is chromifypro part of a known attack campaign?

Yes — chromifypro is associated with the 2025-10-asynhttp, RLMA-2025-06558, RLUA-2026-00192 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find chromifypro across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for chromifypro (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging chromifypro across your stack and pipelines.

Malicious package

chromifyproPyPI

Malicious code in chromifypro (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-191702

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall chromifypro

What this malware does

Packages silently decrypt content hidden in a dependency and load them as Python extension modules.

In the first wave, those are copies of legitimate aiohttp and aiohappyeyeballs packages. In the second wave, malicious packages created good-looking forks of legitimate rich and pigments packages.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-10-asynhttp

Reasons (based on the campaign):

typosquatting
exfiltration-generic
obfuscation
clones-real-package
native-extension

Malicious versions

2 flagged

1.0.01.0.1

Indicators of compromise (SHA-256)

b156d4195a20c086e7cd013834914c9443c8fa7b36581614df2021020cbc5689

7d54475b9a0020eac1dddf1c1a3684b901bfc7de641e03d571a933718b43933e

4138883ad2e38b4a8a4353918126f4732db5f04107be0bddafc745ec97120b52

000fc121aa0083346662729454da97a179ebfd789440c1a9a047c6fe8fee3e68

bca09f6f48f1f5d722c217e7f20e90add7a0131df05b2b08f6df4afbd131e3bf

0267761bf8326742a23f099b996b08d6199c4719870e023bcf6a662ee5eef1e9

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for chromifypro (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging chromifypro across your stack and pipelines.
If you installed it — respond
chromifypro is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If chromifypro was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks chromifypro before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. chromifypro on PyPI has been identified as a malicious package (versions 1.0.0, 1.0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

2025-10-asynhttpRLMA-2025-06558RLUA-2026-00192

References

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks chromifypro-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring