Which versions of easyioctl are malicious?

The following PyPI versions of easyioctl are flagged malicious: 1.0, 1.1, 1.2.0, 1.2.2, 1.2.3. Treat any of these as compromised.

How do I remediate easyioctl if I installed it?

Remove easyioctl from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

I already installed easyioctl — how do I know if it already compromised me?

If easyioctl was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is easyioctl part of a known attack campaign?

Yes — easyioctl is associated with the GENERIC-simple-tests campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find easyioctl across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for easyioctl (5 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging easyioctl across your stack and pipelines.

Malicious package

easyioctlPyPI

Malicious code in easyioctl (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2024-12260

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall easyioctl

What this malware does

Packages that might be part of testing for pentesting / malicious activity / joy, with suspicious activity that does not present any real harm.

Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.

Campaign: GENERIC-simple-tests

Reasons (based on the campaign):

The package overrides the install command in setup.py to execute malicious code during installation.

Malicious versions

5 flagged

1.01.11.2.01.2.21.2.3

Indicators of compromise (SHA-256)

1412f4f0f2ea483c46480d45313a9d031dc055839842bede5c82f1af256f039b

17bb7b2d6ca02c6c077bc420bf4b9136e424f53cf276f61529b19806e5bb5bca

bd833454aee9b4091cf017891457621ae1674b1585303ca84601035969790d62

1391c1cb612985f43b14ea19ffdd82415aa400076d9c800aff7eb79deed1b701

Detection & response playbook

Malicious package

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for easyioctl (5 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging easyioctl across your stack and pipelines.
If you installed it — respond
Remove easyioctl from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If easyioctl was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks easyioctl before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. easyioctl on PyPI has been identified as a malicious package (versions 1.0, 1.1, 1.2.0, 1.2.2, 1.2.3 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

GENERIC-simple-tests

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193)

Detect & block this

O3 blocks easyioctl-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring