Which versions of hellotesthim are malicious?

The following PyPI versions of hellotesthim are flagged malicious: 0.1.1. Treat any of these as compromised.

How do I remediate hellotesthim if I installed it?

hellotesthim is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed hellotesthim — how do I know if it already compromised me?

If hellotesthim was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is hellotesthim part of a known attack campaign?

Yes — hellotesthim is associated with the RLMA-2025-03614, 2025-07-0x9xnx, RLUA-2026-00386 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find hellotesthim across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for hellotesthim (version 0.1.1). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging hellotesthim across your stack and pipelines.

Malicious package

hellotesthimPyPI

Malicious code in hellotesthim (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-6521

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall hellotesthim

What this malware does

Series of packages mostly with an obfuscated infostealer attempting to collect Chrome data. While discord webhook is usually set to an example, there are other, correct uploading URLs

Some of related packages only test partial malicious code, like webhooks from overwritten setup.py

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-07-0x9xnx

Reasons (based on the campaign):

infostealer
obfuscation
exfiltration-browser-data
exfiltration-crypto
The package overrides the install command in setup.py to execute malicious code during installation.

Malicious versions

1 flagged

0.1.1

Indicators of compromise (SHA-256)

1b4aaa389ee71107a6abd55fd88840eb5e56d91ce1ded2088019d5ff14bff96e

ee4ee0bc09c95cbc4756934c8e75b9ca2c7d0c2d8122e4fa780d24006f336c42

a7a4369b02deb0d2a9cf1340be0efe760e29f7979e3f7361ba029a282b70597f

ebac8611e6414a1268054f17e4918c2fb6a5d53bbceb014bf5dc07f9218939a6

482e18ab0359522d5f5bed6cf7fb07de872390a65d0cd7ae821123796fb11831

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for hellotesthim (version 0.1.1). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging hellotesthim across your stack and pipelines.
If you installed it — respond
hellotesthim is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If hellotesthim was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks hellotesthim before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. hellotesthim on PyPI has been identified as a malicious package (version 0.1.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2025-036142025-07-0x9xnxRLUA-2026-00386

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks hellotesthim-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring