What does the hello-test-s1 malware do?

During installation or importing the module, the package starts a reverse shell to hardcoded locatiom Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2025-12-aiogram-sever-patch Reasons (based on the campaign): - The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine. - The package overrides the install command in setup.py to execute malicious code during installation. - dependency-confusion

Which versions of hello-test-s1 are malicious?

The following PyPI versions of hello-test-s1 are flagged malicious: 0.1.0, 0.3.0, 0.3.1. Treat any of these as compromised.

How do I remediate hello-test-s1 if I installed it?

Remove hello-test-s1 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is hello-test-s1 part of a known attack campaign?

Yes — hello-test-s1 is associated with the 2025-12-aiogram-sever-patch campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect hello-test-s1 in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking hello-test-s1 and packages like it before any post-install script runs.

Malicious package

hello-test-s1PyPI

Malicious code in hello-test-s1 (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-5812

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall hello-test-s1

What this malware does

During installation or importing the module, the package starts a reverse shell to hardcoded locatiom

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-12-aiogram-sever-patch

Reasons (based on the campaign):

The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine.
The package overrides the install command in setup.py to execute malicious code during installation.
dependency-confusion

Malicious versions

3 flagged

0.1.00.3.00.3.1

Indicators of compromise (SHA-256)

3e38aef2a7eaa434284aa00122cf429e1a1a07658e02afec7bb3690d7cbfe9ec

Frequently asked questions

No. hello-test-s1 on PyPI has been identified as a malicious package (versions 0.1.0, 0.3.0, 0.3.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

2025-12-aiogram-sever-patch

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193) · reporter

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection