Which versions of consolergbcolor are malicious?

The following PyPI versions of consolergbcolor are flagged malicious: 0.0.1. Treat any of these as compromised.

How do I remediate consolergbcolor if I installed it?

consolergbcolor is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed consolergbcolor — how do I know if it already compromised me?

If consolergbcolor was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is consolergbcolor part of a known attack campaign?

Yes — consolergbcolor is associated with the RLMA-2025-05207, 2025-09-consolecolornew, RLUA-2026-00224 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find consolergbcolor across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for consolergbcolor (version 0.0.1). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging consolergbcolor across your stack and pipelines.

Malicious package

consolergbcolorPyPI

Malicious code in consolergbcolor (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-48888

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall consolergbcolor

What this malware does

If used, the code attempts to take a photo using the computer's camera and exfiltrates it

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-09-consolecolornew

Reasons (based on the campaign):

exfiltration-generic
action-hidden-in-lib-usage
other

Malicious versions

1 flagged

0.0.1

Indicators of compromise (SHA-256)

2d0f396727d2d19441e2031ef8d9f909137199f1e3c569045ab8e770c6f9af24

1e4857492932f7191c3aa6ba8484d052ce7e0fa9e1a0e9d90cdf32752a27a958

04beefffad3b4018eda21173a10a1dbebd8127bd9870d86e31894c6be592e107

f1e6189bb4839626101ecbe58636ea2504c1359c8ce5895bbebf9b28a3538cb9

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for consolergbcolor (version 0.0.1). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging consolergbcolor across your stack and pipelines.
If you installed it — respond
consolergbcolor is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If consolergbcolor was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks consolergbcolor before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. consolergbcolor on PyPI has been identified as a malicious package (version 0.0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2025-052072025-09-consolecolornewRLUA-2026-00224

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks consolergbcolor-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring