Which versions of iamenumer are malicious?

The following PyPI versions of iamenumer are flagged malicious: 1.0.0. Treat any of these as compromised.

How do I remediate iamenumer if I installed it?

iamenumer is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed iamenumer — how do I know if it already compromised me?

If iamenumer was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is iamenumer part of a known attack campaign?

Yes — iamenumer is associated with the RLMA-2025-04179, 2025-08-aws-enumerate, RLUA-2026-00416 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find iamenumer across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for iamenumer (version 1.0.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging iamenumer across your stack and pipelines.

Malicious package

iamenumerPyPI

Malicious code in iamenumer (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-41687

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall iamenumer

What this malware does

Before creating the boto3 client, package exfiltrates user's credentials. Packages from the campaign are used as dependency in a GitHub project promising automating cloud enumeration

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-08-aws-enumerate

Reasons (based on the campaign):

exfiltration-generic
action-hidden-in-lib-usage
exfiltration-credentials

Malicious versions

1 flagged

1.0.0

Indicators of compromise (SHA-256)

2fb779637806a688c42fc467de4ed9d7aa7deb1817c44a9ca99d6023fa3a4a28

f6a687102676cbcee0689be14638d365e485eb34fe21956bf24c668382fe7169

2281f18809744cd511d94170c1ce172994a633aa0b8b5bc9fa9b892629b5d674

1fe148c84a46605ffa98e83b3a47078cdb3a0567db438212783acb17498145bc

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for iamenumer (version 1.0.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging iamenumer across your stack and pipelines.
If you installed it — respond
iamenumer is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If iamenumer was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks iamenumer before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. iamenumer on PyPI has been identified as a malicious package (version 1.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2025-041792025-08-aws-enumerateRLUA-2026-00416

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks iamenumer-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring