Which versions of dlty are malicious?

The following PyPI versions of dlty are flagged malicious: 0.0.10, 1.0.3. Treat any of these as compromised.

How do I remediate dlty if I installed it?

dlty is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed dlty — how do I know if it already compromised me?

If dlty was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is dlty part of a known attack campaign?

Yes — dlty is associated with the IN-MAL-2026-002375, IN-MAL-2026-002381 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find dlty across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for dlty (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging dlty across your stack and pipelines.

Malicious package

dltyPyPI

Malicious code in dlty (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-3690

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall dlty

What this malware does

Importing the dlty package triggers an active data-exfiltration channel from the installer to third-party-controlled infrastructure. dlty/__init__.py imports dlty.dlt, which defines a class DataLeakTest whose class body contains threading.Thread(target=leak_data).start() — meaning the thread runs at class-definition/import time, not on instantiation. The target function leak_data (dlty/dlt.py) first performs an HTTP GET to https://www.google.de as a connectivity probe, then reads the environment variables RUN, PIPELINE, STEP and uploads them with a timestamp as a blob to the hardcoded Google Cloud Storage bucket data-leak-test via storage.Client().get_bucket('data-leak-test').blob(run).upload_from_string(...). This uses the installer's ambient GCP credentials (Application Default Credentials) to write installer-side environment variables (commonly CI/CD metadata) to author-controlled storage. Exceptions are swallowed with a reassuring print, and the exfiltration is placed in a class body rather than init to make it less visible during casual review. Metadata fields are placeholders (Example Author, pypa/sampleproject URL), the README is a single line, and the package name does not advertise any of this behavior. This is a one-way installer→attacker exfiltration path and meets the criteria for an active supply-chain attack.

Malicious versions

2 flagged

0.0.101.0.3

Indicators of compromise (SHA-256)

1de1179058c8bfbb9c038473f9941f3a4b3db4465c9d0bcaac796b55ed58118a

494f5fbab24a26771e84ce06eea5303b7d1b9135b505a6d93a01c417603f1902

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for dlty (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging dlty across your stack and pipelines.
If you installed it — respond
dlty is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If dlty was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks dlty before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. dlty on PyPI has been identified as a malicious package (versions 0.0.10, 1.0.3 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-002375IN-MAL-2026-002381

References

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks dlty-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring