Which versions of dsidelib are malicious?

The following PyPI versions of dsidelib are flagged malicious: 0.1.0, 0.1.1, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.9.0, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 2.0. Treat any of these as compromised.

How do I remediate dsidelib if I installed it?

dsidelib is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed dsidelib — how do I know if it already compromised me?

If dsidelib was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is dsidelib part of a known attack campaign?

Yes — dsidelib is associated with the RLMA-2025-04158, 2025-08-dsidelib, RLUA-2026-00284 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find dsidelib across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for dsidelib (15 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging dsidelib across your stack and pipelines.

Malicious package

dsidelibPyPI

Malicious code in dsidelib (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-41666

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall dsidelib

What this malware does

Package is runs an Infostealer targeting telegram and Discord credentials. Depending on version, the infostealer is either downloaded from an URL or embedded in the package

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-08-dsidelib

Reasons (based on the campaign):

infostealer
Downloads and executes a remote malicious script.
exfiltration-browser-data
target:telegram

Malicious versions

15 flagged

0.1.00.1.10.2.00.3.00.4.00.5.00.6.00.7.00.8.00.9.01.0.01.1.01.2.01.3.02.0

Indicators of compromise (SHA-256)

e9e2cf7cb2a305bb54858e7b6d976bd8de7182064c2c56e03f61542572dc4495

ca43db239f71150cdb1487144d1749cd199126f3072bfae5a37982f69bb675b1

5bd949196aad0e516b6c21fb6c9fc50ac76f93ca87d94490d53e3b367401df7b

76bdef8c535c10bb95fe0ef65eea42cc2e709b8093847af2ff54b66bf1c57fdd

2450c157ad56e5ea450e51f904efaa7796eb38db61e1824d55a9395ecb26af3d

1b882a6b7eab0aed4a54e99c2d41a3893c781400e096e34c1ddc14bf82f4ecb7

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for dsidelib (15 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging dsidelib across your stack and pipelines.
If you installed it — respond
dsidelib is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If dsidelib was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks dsidelib before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. dsidelib on PyPI has been identified as a malicious package (versions 0.1.0, 0.1.1, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.6.0, 0.7.0, and 7 more flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2025-041582025-08-dsidelibRLUA-2026-00284

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks dsidelib-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring