Which versions of cryptoo are malicious?

The following PyPI versions of cryptoo are flagged malicious: 2.8.2. Treat any of these as compromised.

How do I remediate cryptoo if I installed it?

cryptoo is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed cryptoo — how do I know if it already compromised me?

If cryptoo was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is cryptoo part of a known attack campaign?

Yes — cryptoo is associated with the RLMA-2025-03580, 2025-07-cryptoo, RLUA-2026-00238 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find cryptoo across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for cryptoo (version 2.8.2). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging cryptoo across your stack and pipelines.

Malicious package

cryptooPyPI

Malicious code in cryptoo (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-6489

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall cryptoo

What this malware does

Importing starts an infostealer

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-07-cryptoo

Reasons (based on the campaign):

obfuscation
infostealer
exfiltration-browser-data
exfiltration-generic
crypto-related
exfiltration-crypto

Malicious versions

1 flagged

2.8.2

Indicators of compromise (SHA-256)

3db10294feb27bde48ccda97d08d509de76d9547950cdabe7f06452cbe33fecd

5e5e271a48e340c3f1ca8cd43f8d662a1738236fc5311a4f9adcf0e834976adf

f63e4b5c515be094f240f956e15464da0258bdd6948006f25419be60138b4764

f6697b0a706b10ed7b9ac095cc153a05167f43c1fdd88124e61f44e1cb720947

5ac20803a67fbb7e79fc9c7e013444e29912f2ace8b8078fe5f68d424d981df1

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for cryptoo (version 2.8.2). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging cryptoo across your stack and pipelines.
If you installed it — respond
cryptoo is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If cryptoo was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks cryptoo before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. cryptoo on PyPI has been identified as a malicious package (version 2.8.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2025-035802025-07-cryptooRLUA-2026-00238

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks cryptoo-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring