What does the httprequesthub malware do?

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2023-11-update-information-endpoint Reasons (based on the campaign): - obfuscation - The package overrides the install command in setup.py to execute malicious code during installation. - typosquatting

Which versions of httprequesthub are malicious?

The following PyPI versions of httprequesthub are flagged malicious: 2.31.0, 2.31.1, 2.31.3, 2.31.4. Treat any of these as compromised.

How do I remediate httprequesthub if I installed it?

httprequesthub is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed httprequesthub — how do I know if it already compromised me?

If httprequesthub was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is httprequesthub part of a known attack campaign?

Yes — httprequesthub is associated with the RLMA-2024-04003, RLUA-2024-08364, 2023-11-update-information-endpoint, RLUA-2025-06570, RLUA-2026-00399 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find httprequesthub across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for httprequesthub (4 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging httprequesthub across your stack and pipelines.

Malicious package

httprequesthubPyPI

Malicious code in httprequesthub (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2024-5221

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall httprequesthub

What this malware does

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2023-11-update-information-endpoint

Reasons (based on the campaign):

obfuscation
The package overrides the install command in setup.py to execute malicious code during installation.
typosquatting

Malicious versions

4 flagged

2.31.02.31.12.31.32.31.4

Indicators of compromise (SHA-256)

e2da341d77a84522b98021d1c613853bfbed53b58c3938454866295eea2d4455

05521880daba3c36411d645f6a5f848e45b17ad69b900107084262371a1e3267

e80ca08c5d67e62c33fd5548d3f2bf07f514f095442a3446950f58e02ebf54f7

9cb098bd2812c755619c73b684023bf34629af2974cb8ef5d522a58be75a571a

3fe0cfce57bd2592d7757d2d27b155141eb46a724ceb1754088a595281665e85

13a37dc9fbda24988fad628b61ef6c553da23bb7e26d74bc4c85e06bc0188baa

138ced64777564c2d2780bb5da3a775836b1c809672b8b3b2d30a9d935479ff8

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for httprequesthub (4 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging httprequesthub across your stack and pipelines.
If you installed it — respond
httprequesthub is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If httprequesthub was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks httprequesthub before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. httprequesthub on PyPI has been identified as a malicious package (versions 2.31.0, 2.31.1, 2.31.3, 2.31.4 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2024-04003RLUA-2024-083642023-11-update-information-endpointRLUA-2025-06570RLUA-2026-00399

References

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks httprequesthub-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring