Which versions of j5gnpuiwerbngpiutbgn0iutb0p are malicious?

The following PyPI versions of j5gnpuiwerbngpiutbgn0iutb0p are flagged malicious: 0.0.1. Treat any of these as compromised.

How do I remediate j5gnpuiwerbngpiutbgn0iutb0p if I installed it?

Remove j5gnpuiwerbngpiutbgn0iutb0p from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

I already installed j5gnpuiwerbngpiutbgn0iutb0p — how do I know if it already compromised me?

If j5gnpuiwerbngpiutbgn0iutb0p was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is j5gnpuiwerbngpiutbgn0iutb0p part of a known attack campaign?

Yes — j5gnpuiwerbngpiutbgn0iutb0p is associated with the 2024-10-lokopoil23 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find j5gnpuiwerbngpiutbgn0iutb0p across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for j5gnpuiwerbngpiutbgn0iutb0p (version 0.0.1). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging j5gnpuiwerbngpiutbgn0iutb0p across your stack and pipelines.

Malicious package

j5gnpuiwerbngpiutbgn0iutb0pPyPI

Malicious code in j5gnpuiwerbngpiutbgn0iutb0p (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2024-9407

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall j5gnpuiwerbngpiutbgn0iutb0p

What this malware does

According to the description, packages should demonstrate the dependency confusion attack. The realisation is, in fact, a spamming with packages having as the only purpose reporting basic data like hostname and current working directory.

Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.

Campaign: 2024-10-lokopoil23

Reasons (based on the campaign):

dependency-confusion

The OpenSSF Package Analysis project identified 'j5gnpuiwerbngpiutbgn0iutb0p' @ 0.0.1 (pypi) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.

Malicious versions

1 flagged

0.0.1

Indicators of compromise (SHA-256)

f687494d7deb053d91f0bf7154dd9981e9e9e4c227483141dc806b3cab994a34

376d56a642ddeab11de99d2f9f6e21fb5b9b46b318786eced46d94c474e09787

0e410a6e975b8a7d6930f2fbde2be25a08fd2bc8995fc57d1794fc12eaf1e019

f2ae533e963dfd702d3936eaea5357f3a0c412107d74ff007e3a4cb35b7edb8a

Detection & response playbook

Malicious package

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for j5gnpuiwerbngpiutbgn0iutb0p (version 0.0.1). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging j5gnpuiwerbngpiutbgn0iutb0p across your stack and pipelines.
If you installed it — respond
Remove j5gnpuiwerbngpiutbgn0iutb0p from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If j5gnpuiwerbngpiutbgn0iutb0p was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks j5gnpuiwerbngpiutbgn0iutb0p before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. j5gnpuiwerbngpiutbgn0iutb0p on PyPI has been identified as a malicious package (version 0.0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

2024-10-lokopoil23

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193)
OpenSSF: Package Analysis · finder

Detect & block this

O3 blocks j5gnpuiwerbngpiutbgn0iutb0p-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring