Which versions of coloramashowtemp are malicious?

The following PyPI versions of coloramashowtemp are flagged malicious: 0.1.0. Treat any of these as compromised.

How do I remediate coloramashowtemp if I installed it?

coloramashowtemp is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed coloramashowtemp — how do I know if it already compromised me?

If coloramashowtemp was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is coloramashowtemp part of a known attack campaign?

Yes — coloramashowtemp is associated with the RLMA-2025-03003, RLUA-2025-03570, 2025-05-coloramashowtemp, RLUA-2026-00211 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find coloramashowtemp across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for coloramashowtemp (version 0.1.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging coloramashowtemp across your stack and pipelines.

Malicious package

coloramashowtempPyPI

Malicious code in coloramashowtemp (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-5106

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall coloramashowtemp

What this malware does

Importing the module starts download and running a remote executable, identified as malware by AVs

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-05-coloramashowtemp

Reasons (based on the campaign):

Downloads and executes a remote executable.
malware

Malicious versions

1 flagged

0.1.0

Indicators of compromise (SHA-256)

202c5a0aa20a7f1b2626e5a9b6e4bd0d9e2410c425bf6eb4908a0063a4bca93e

3c8a84920c41806b6903a67da84f5f6789d0d4671bf5f88f77a9629068f2a6df

c5fb0c8b6e25c0f786ca45a5b5dbedd2f4657f0e876358289f2d12bffbc771a4

68b62d3c6ab90e6f581e390f03610916462b830f303532bd5528e2d5c37bb46e

fb932d54c61fc858a7eb5c23c609290f25df0848e4025760c32a4b9833b6c16e

ce2afd7e35ea1706a8690a4d9ffda65f7e7d57f3bfcfd7fedca7243746dd76fc

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for coloramashowtemp (version 0.1.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging coloramashowtemp across your stack and pipelines.
If you installed it — respond
coloramashowtemp is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If coloramashowtemp was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks coloramashowtemp before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. coloramashowtemp on PyPI has been identified as a malicious package (version 0.1.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2025-03003RLUA-2025-035702025-05-coloramashowtempRLUA-2026-00211

References

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks coloramashowtemp-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring