What does the d0rk3r-telemetry malware do?

During import, package exfiltrates browsers data, SSH keys and other credential files, env variables and other sensitive data. Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-06-request-cache-py Reasons (based on the campaign): - infostealer - exfiltration-env-variables - exfiltration-ssh-keys - impersonation - A Telegram webhook is used to send collected data. - exfiltration-browser-data - The package contains code to detect if it is running in a sandbox environment. - exfiltration-credentials - The malicious code is intentionally included in a dependency of the package

Which versions of d0rk3r-telemetry are malicious?

The following PyPI versions of d0rk3r-telemetry are flagged malicious: 1.0.0, 1.0.1. Treat any of these as compromised.

How do I remediate d0rk3r-telemetry if I installed it?

Remove d0rk3r-telemetry from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is d0rk3r-telemetry part of a known attack campaign?

Yes — d0rk3r-telemetry is associated with the 2026-06-request-cache-py campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect d0rk3r-telemetry in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking d0rk3r-telemetry and packages like it before any post-install script runs.

Malicious package

d0rk3r-telemetryPyPI

Malicious code in d0rk3r-telemetry (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-6244

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall d0rk3r-telemetry

What this malware does

During import, package exfiltrates browsers data, SSH keys and other credential files, env variables and other sensitive data.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-request-cache-py

Reasons (based on the campaign):

infostealer
exfiltration-env-variables
exfiltration-ssh-keys
impersonation
A Telegram webhook is used to send collected data.
exfiltration-browser-data
The package contains code to detect if it is running in a sandbox environment.
exfiltration-credentials
The malicious code is intentionally included in a dependency of the package

Malicious versions

2 flagged

1.0.01.0.1

Indicators of compromise (SHA-256)

1f9f4d4943d02f9c78e513a75b4b0fcfd47d1e0486e79df9fe52f2112d840163

882e2e2a2c26ff69be44b64ab738e5ac2739532bde40633a8c6862363ed6c47a

Frequently asked questions

No. d0rk3r-telemetry on PyPI has been identified as a malicious package (versions 1.0.0, 1.0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

2026-06-request-cache-py

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193) · analyst

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection