Which versions of fakehuop are malicious?

The following PyPI versions of fakehuop are flagged malicious: 3.1.0, 3.2.0, 3.5.0, 3.7.0. Treat any of these as compromised.

How do I remediate fakehuop if I installed it?

Remove fakehuop from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

I already installed fakehuop — how do I know if it already compromised me?

If fakehuop was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is fakehuop part of a known attack campaign?

Yes — fakehuop is associated with the IN-MAL-2026-004042, IN-MAL-2026-004064, IN-MAL-2026-004063, IN-MAL-2026-004065 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find fakehuop across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for fakehuop (4 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging fakehuop across your stack and pipelines.

Malicious package

fakehuopPyPI

Malicious code in fakehuop (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-4749

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall fakehuop

What this malware does

Every advertised function in this package (ask_llm, pink, america, iran, momo, abc, bcd, code, sf, liti, koko, init, dropnull, hellp, lc) instantiates a Groq client using a hardcoded gsk_... API key owned by the package author and forwards the caller-supplied prompt argument to api.groq.com via client.chat.completions.create. Callers cannot supply their own key; the public API has no parameter or env-var override. As a result, any prompt content passed into these functions — which may contain proprietary data, customer input, or secrets — is routed through the author's Groq account, where the author can read it via their dashboard. 17 distinct hardcoded Groq keys are shipped across ai_helper.py, abc.py, america.py, bcd.py, code.py, dropnull.py, hellp.py, init.py, iran.py, koko.py, lc.py, liti.py, momo.py, pink.py, and sf.py. The package metadata reinforces the assessment: README references an unrelated sample_package with add/greet examples that don't exist in the source, the package and module names are nonsensical, and there is no documented legitimate purpose for the relay.

Malicious versions

4 flagged

3.1.03.2.03.5.03.7.0

Indicators of compromise (SHA-256)

01b6d228f2f167f660bb588665de6df915cd05d025b201027962bfe1c493e808

677eed2b8b2630ec8e88b29d7ae3d9d49fc0d0c18230cc51b24d8102cdb151ee

c4e7b6565fad1e78a9aed6fcbf5e1992a05f51f0bbb46c0412f614b9777867f5

d09b228809877b9a10237ba3c8becd1b069c803096a35b8ac363321dee102dce

Detection & response playbook

Malicious package

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for fakehuop (4 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging fakehuop across your stack and pipelines.
If you installed it — respond
Remove fakehuop from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If fakehuop was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks fakehuop before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. fakehuop on PyPI has been identified as a malicious package (versions 3.1.0, 3.2.0, 3.5.0, 3.7.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004042IN-MAL-2026-004064IN-MAL-2026-004063IN-MAL-2026-004065

References

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks fakehuop-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring