Which versions of enumeratiam are malicious?

The following PyPI versions of enumeratiam are flagged malicious: 0.0.3, 0.0.4. Treat any of these as compromised.

How do I remediate enumeratiam if I installed it?

enumeratiam is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed enumeratiam — how do I know if it already compromised me?

If enumeratiam was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is enumeratiam part of a known attack campaign?

Yes — enumeratiam is associated with the RLMA-2025-04764, 2025-08-aws-enumerate, RLUA-2026-00296 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find enumeratiam across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for enumeratiam (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging enumeratiam across your stack and pipelines.

Malicious package

enumeratiamPyPI

Malicious code in enumeratiam (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-47763

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall enumeratiam

What this malware does

Package acts as dependency that exfiltrates credentials data while creating a boto3 client

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-08-aws-enumerate

Reasons (based on the campaign):

exfiltration-generic
action-hidden-in-lib-usage
exfiltration-credentials

Malicious versions

2 flagged

0.0.30.0.4

Indicators of compromise (SHA-256)

41a6f487e5ab8ef2f8eb8661e3d423301447dfa7e544c763f671247d6e1be1e8

4154331a157ac6592554e22b22973e85be39f353d8b548e7518b19c41360c00d

9bcbc4cde02af001776bd6812c42586311baa3d29fc13a5800760297af961041

e43e9a60c782d640d92fd9a34d58dc5d4ae4ec32cc4d949556f813658453b295

23856a872c3fa6fcf328366c3437150b59b044625a554b38b0a1ece1f51e3904

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for enumeratiam (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging enumeratiam across your stack and pipelines.
If you installed it — respond
enumeratiam is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If enumeratiam was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks enumeratiam before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. enumeratiam on PyPI has been identified as a malicious package (versions 0.0.3, 0.0.4 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2025-047642025-08-aws-enumerateRLUA-2026-00296

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks enumeratiam-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring