Which versions of easyhttprequest are malicious?

The following PyPI versions of easyhttprequest are flagged malicious: 2.31.4, 2.31.5. Treat any of these as compromised.

How do I remediate easyhttprequest if I installed it?

easyhttprequest is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed easyhttprequest — how do I know if it already compromised me?

If easyhttprequest was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is easyhttprequest part of a known attack campaign?

Yes — easyhttprequest is associated with the RLMA-2024-03881, RLUA-2024-08178, 2023-12-09-easyhttprequest, RLUA-2025-06562, RLUA-2026-00287 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find easyhttprequest across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for easyhttprequest (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging easyhttprequest across your stack and pipelines.

Malicious package

easyhttprequestPyPI

Malicious code in easyhttprequest (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2024-5101

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall easyhttprequest

What this malware does

Clone of the requests package. During installation, it downloads a git repository and attempts to execute a script from its commit message

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2023-12-09-easyhttprequest

Reasons (based on the campaign):

The package overrides the install command in setup.py to execute malicious code during installation.
Downloads and executes a remote malicious script.
clones-real-package

Malicious versions

2 flagged

2.31.42.31.5

Indicators of compromise (SHA-256)

388de2c20294368ff9d6bb19c7186f425e1aa8aa2626055f1c79601cc5127e2f

e403455ee47272b28fe57bd3d7b76fee0300e9f68f412f99f6731844760a06ea

e429c7eb8d552d814158f47a9601620b9245ec31a710c2af8b005aac9f8ebae3

2b8f76adb9701e490a7cb89a6457afd1ce1cbe67712cdca356da7f35791ba993

461c3dce37946adf37a513d11fb88d32996b9ea049cd61402ef5ab59601221a8

6ac2b994befd596d6f2d6f4a6e752cdb739900f210f4ca1e1c9efe6e1ea07c2e

46832380e0ecefef85bbe740f72bcf76311bc44603d07ecab610efa121f65d32

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for easyhttprequest (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging easyhttprequest across your stack and pipelines.
If you installed it — respond
easyhttprequest is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If easyhttprequest was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks easyhttprequest before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. easyhttprequest on PyPI has been identified as a malicious package (versions 2.31.4, 2.31.5 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2024-03881RLUA-2024-081782023-12-09-easyhttprequestRLUA-2025-06562RLUA-2026-00287

References

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks easyhttprequest-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring