Which versions of hmacsync are malicious?

The following PyPI versions of hmacsync are flagged malicious: 1.0.0. Treat any of these as compromised.

How do I remediate hmacsync if I installed it?

hmacsync is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed hmacsync — how do I know if it already compromised me?

If hmacsync was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is hmacsync part of a known attack campaign?

Yes — hmacsync is associated with the 2026-05-libhmac campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find hmacsync across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for hmacsync (version 1.0.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging hmacsync across your stack and pipelines.

Malicious package

hmacsyncPyPI

Malicious code in hmacsync (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-4828

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall hmacsync

What this malware does

The package is a new version of the previously removed libhmac. The key parts, a malicious payload to inject into hijacked browser extensions, is not included in the package. The code allows hijacking browser extensions to - based on previous package - exfiltrate credentials. This package also contains code to create hidden SSH access to the machine with hardcoded credentials.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-05-libhmac

Reasons (based on the campaign):

crypto-related
exfiltration-credentials
exfiltration-crypto
exfiltration-browser-data

Malicious versions

1 flagged

1.0.0

Indicators of compromise (SHA-256)

d361ffcded0fc3d88b5095d800b13b3f8a07a581e8003c30bfcf9887eb71243f

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for hmacsync (version 1.0.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging hmacsync across your stack and pipelines.
If you installed it — respond
hmacsync is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If hmacsync was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks hmacsync before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. hmacsync on PyPI has been identified as a malicious package (version 1.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

2026-05-libhmac

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193) · reporter

Detect & block this

O3 blocks hmacsync-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring