Which versions of d0rk3r are malicious?

The following PyPI versions of d0rk3r are flagged malicious: 1.0.0, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.2.0. Treat any of these as compromised.

How do I remediate d0rk3r if I installed it?

Remove d0rk3r from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is d0rk3r part of a known attack campaign?

Yes — d0rk3r is associated with the 2026-06-request-cache-py campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect d0rk3r in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking d0rk3r and packages like it before any post-install script runs.

Malicious package

d0rk3rPyPI

Malicious code in d0rk3r (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-6246

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall d0rk3r

What this malware does

The package declares malicious dependencies. Their activity is however not triggered as since version 1.0.4, the packages releases lack any source code. Malicious dependency was first introduced in version 1.0.5, but the package is likely prepared to be a loader of malicious code from very begining.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-request-cache-py

Reasons (based on the campaign):

infostealer
exfiltration-env-variables
exfiltration-ssh-keys
impersonation
A Telegram webhook is used to send collected data.
exfiltration-browser-data
The package contains code to detect if it is running in a sandbox environment.
exfiltration-credentials
The malicious code is intentionally included in a dependency of the package

Malicious versions

16 flagged

1.0.01.0.21.0.31.0.41.0.51.0.61.0.71.0.81.0.91.1.01.1.11.1.21.1.31.1.41.1.51.2.0

Indicators of compromise (SHA-256)

d0d4cf20ac250e3d7a23666cf8bc3ae722d555b982649dad3f615d9c7c8818d9

Frequently asked questions

No. d0rk3r on PyPI has been identified as a malicious package (versions 1.0.0, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, and 8 more flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

2026-06-request-cache-py

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193) · reporter

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection