Which versions of humunaiodio2443 are malicious?

The following PyPI versions of humunaiodio2443 are flagged malicious: 0.3.6. Treat any of these as compromised.

How do I remediate humunaiodio2443 if I installed it?

Remove humunaiodio2443 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

I already installed humunaiodio2443 — how do I know if it already compromised me?

If humunaiodio2443 was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is humunaiodio2443 part of a known attack campaign?

Yes — humunaiodio2443 is associated with the RLMA-2025-05602, 2025-10-wangzhou183, RLUA-2026-00408 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find humunaiodio2443 across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for humunaiodio2443 (version 0.3.6). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging humunaiodio2443 across your stack and pipelines.

Malicious package

humunaiodio2443PyPI

Malicious code in humunaiodio2443 (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-191633

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall humunaiodio2443

What this malware does

Package imitates Roblox API wrapper, but the only action is getting the public IP, suggesting it's a security research or malicious attempt

Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.

Campaign: 2025-10-wangzhou183

Reasons (based on the campaign):

The package overrides the install command in setup.py to execute malicious code during installation.

Malicious versions

1 flagged

0.3.6

Indicators of compromise (SHA-256)

dc1a39e54c408e86363a1bfe7c218353c6713cda81a90192eb7d394e787b9857

5926727ffea43558afb7ed41cb091f53b0c22adbf085017cd3e9088bf5f83c88

0f8b15e18af91c7aa7c9b3de3f2a24c1dcdca73d75acffdd2c8b6650d1c13657

d197b8732cf67933491ff988ed0f3c2f0b96f36d48e8d01d489ed09ec23a3412

Detection & response playbook

Malicious package

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for humunaiodio2443 (version 0.3.6). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging humunaiodio2443 across your stack and pipelines.
If you installed it — respond
Remove humunaiodio2443 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If humunaiodio2443 was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks humunaiodio2443 before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. humunaiodio2443 on PyPI has been identified as a malicious package (version 0.3.6 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2025-056022025-10-wangzhou183RLUA-2026-00408

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks humunaiodio2443-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring