Which versions of gal32fjdsbf89hnd are malicious?

The following PyPI versions of gal32fjdsbf89hnd are flagged malicious: 1. Treat any of these as compromised.

How do I remediate gal32fjdsbf89hnd if I installed it?

gal32fjdsbf89hnd is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed gal32fjdsbf89hnd — how do I know if it already compromised me?

If gal32fjdsbf89hnd was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is gal32fjdsbf89hnd part of a known attack campaign?

Yes — gal32fjdsbf89hnd is associated with the RLMA-2024-11050, 2024-10-gal32fjdsbf89hnd-gcp-token, RLUA-2026-00345 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find gal32fjdsbf89hnd across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for gal32fjdsbf89hnd (version 1). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging gal32fjdsbf89hnd across your stack and pipelines.

Malicious package

gal32fjdsbf89hndPyPI

Malicious code in gal32fjdsbf89hnd (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2024-11598

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall gal32fjdsbf89hnd

What this malware does

Installing the package attempts to exfiltrate GCP tokens. As it uses a random names and/or targets specific accounts, it's most probably a (pen)test.

Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.

Campaign: 2024-10-gal32fjdsbf89hnd-gcp-token

Reasons (based on the campaign):

exfiltration-cloud-tokens

Malicious versions

1 flagged

Indicators of compromise (SHA-256)

be9397c577909e952747e357d6f89ee5d450558ffa705def24a013070ee9ca15

04acfdcfbd1dc02db2acf4cd92272be826a5c223c04374204efb13c241bc1b60

289d4debca52d2f6a1dd07428abe588fa5857d09a6726740ba061b260d24de8b

0b29505a82049c6ad552b81ec52f400958dc644e15a6b2ee2f554bdda026a604

2e8a2e53df2a44c6f658621ebfd6d40cba7528defc4c43a3003b96c4c07f7f85

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for gal32fjdsbf89hnd (version 1). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging gal32fjdsbf89hnd across your stack and pipelines.
If you installed it — respond
gal32fjdsbf89hnd is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If gal32fjdsbf89hnd was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks gal32fjdsbf89hnd before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. gal32fjdsbf89hnd on PyPI has been identified as a malicious package (version 1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2024-110502024-10-gal32fjdsbf89hnd-gcp-tokenRLUA-2026-00345

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks gal32fjdsbf89hnd-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring