What does the crypt0graphyy malware do?

Package uses the template from https://github.com/thegoodhackertv/malpip to explore building malicious PyPI packages. Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: SCRIPT_KIDDIE-thegoodhacker-paquete Reasons (based on the campaign): - The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk. - The package overrides the install command in setup.py to execute malicious code during installation. - Package uses simple pre-prepared tools to create a low-quality malicious action.

Which versions of crypt0graphyy are malicious?

The following PyPI versions of crypt0graphyy are flagged malicious: 1.0.0. Treat any of these as compromised.

How do I remediate crypt0graphyy if I installed it?

crypt0graphyy is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed crypt0graphyy — how do I know if it already compromised me?

If crypt0graphyy was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is crypt0graphyy part of a known attack campaign?

Yes — crypt0graphyy is associated with the RLMA-2025-03005, SCRIPT_KIDDIE-thegoodhacker-paquete, RLUA-2026-00232 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find crypt0graphyy across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for crypt0graphyy (version 1.0.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging crypt0graphyy across your stack and pipelines.

Malicious package

crypt0graphyyPyPI

Malicious code in crypt0graphyy (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-5108

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall crypt0graphyy

What this malware does

Package uses the template from https://github.com/thegoodhackertv/malpip to explore building malicious PyPI packages.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: SCRIPT_KIDDIE-thegoodhacker-paquete

Reasons (based on the campaign):

The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.
The package overrides the install command in setup.py to execute malicious code during installation.
Package uses simple pre-prepared tools to create a low-quality malicious action.

Malicious versions

1 flagged

1.0.0

Indicators of compromise (SHA-256)

589c76a86996bb2c5606ac0b3a740539c0816356b7f7126b215ce0b703475273

b13b8823a1da9d159f32c3e3055500551b705500e9fbeb2393d00f38f3fcb825

ec94110581ca3363bda748a7d59e0e82110dda02ec61092f85e7ef2d513f059e

f52e6274e059a3983563898f6ebb219844c01899006dc0dab0dc0efe69399e89

17f6957207899956f5355d3698a1b8c3d51d52ef3baae076c539f3ab4f4d0487

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for crypt0graphyy (version 1.0.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging crypt0graphyy across your stack and pipelines.
If you installed it — respond
crypt0graphyy is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If crypt0graphyy was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks crypt0graphyy before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. crypt0graphyy on PyPI has been identified as a malicious package (version 1.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2025-03005SCRIPT_KIDDIE-thegoodhacker-paqueteRLUA-2026-00232

References

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks crypt0graphyy-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring