Which versions of fidnffvvbfhghghhhh are malicious?

The following PyPI versions of fidnffvvbfhghghhhh are flagged malicious: 1. Treat any of these as compromised.

How do I remediate fidnffvvbfhghghhhh if I installed it?

fidnffvvbfhghghhhh is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed fidnffvvbfhghghhhh — how do I know if it already compromised me?

If fidnffvvbfhghghhhh was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is fidnffvvbfhghghhhh part of a known attack campaign?

Yes — fidnffvvbfhghghhhh is associated with the RLMA-2024-11047, 2024-10-gal32fjdsbf89hnd-gcp-token, RLUA-2026-00323 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find fidnffvvbfhghghhhh across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for fidnffvvbfhghghhhh (version 1). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging fidnffvvbfhghghhhh across your stack and pipelines.

Malicious package

fidnffvvbfhghghhhhPyPI

Malicious code in fidnffvvbfhghghhhh (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2024-11596

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall fidnffvvbfhghghhhh

What this malware does

Installing the package attempts to exfiltrate GCP tokens. As it uses a random names and/or targets specific accounts, it's most probably a (pen)test.

Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.

Campaign: 2024-10-gal32fjdsbf89hnd-gcp-token

Reasons (based on the campaign):

exfiltration-cloud-tokens

Malicious versions

1 flagged

Indicators of compromise (SHA-256)

c493c8a2a17805e485a28fff3ad823f4edf63ef77104e1d4e772085dccc15001

c391b41e9ea140e884922c2ea915a321d2896acb982e1ee624659ed51ee0e342

53e1b3f1fc19bbc10acfd813b8839f3831cc7624906c54a8ea4ca6a2d2706877

b5bad1ff673c0086337a4ced5b66c046ee5f39ad5eab4c879a3e03a7ef6c1128

f7f1dca84b7fff020c6d7f2f7af85d8cdea754c7f5587aeb1999769117923408

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for fidnffvvbfhghghhhh (version 1). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging fidnffvvbfhghghhhh across your stack and pipelines.
If you installed it — respond
fidnffvvbfhghghhhh is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If fidnffvvbfhghghhhh was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks fidnffvvbfhghghhhh before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. fidnffvvbfhghghhhh on PyPI has been identified as a malicious package (version 1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2024-110472024-10-gal32fjdsbf89hnd-gcp-tokenRLUA-2026-00323

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks fidnffvvbfhghghhhh-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring