Which versions of k7eela are malicious?

The following PyPI versions of k7eela are flagged malicious: 0.1.1, 0.1.2, 0.1.3. Treat any of these as compromised.

How do I remediate k7eela if I installed it?

k7eela is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed k7eela — how do I know if it already compromised me?

If k7eela was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is k7eela part of a known attack campaign?

Yes — k7eela is associated with the RLMA-2025-04782, 2025-08-k7eel, RLUA-2026-00449 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find k7eela across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for k7eela (3 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging k7eela across your stack and pipelines.

Malicious package

k7eelaPyPI

Malicious code in k7eela (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-47778

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall k7eela

What this malware does

Importing the module downloads and executes widely recognized malware

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-08-k7eel

Reasons (based on the campaign):

Downloads and executes a remote executable.
malware

Malicious versions

3 flagged

0.1.10.1.20.1.3

Indicators of compromise (SHA-256)

6552e2553a9dcf3e97cfbaed8e47032a2bebe4ffe9f08f3127aa58fdbae4af5d

d7e3fe39dd34e77fa1c0bd55ea84e631d5395c3e85344e51114fb4e68e4d2edb

ed0626762f4c1981700c0a6a6782dce64b6ebe2a9dc478b5a3d4ad2f186f8645

ddd29021aa1b51a4007900402350f3008e1fb6f931a08ca77674c9cdc1db2044

efc7140c752aa1d4c47b7f6641977eb16c55a2d893cb881d4e5870e61a641fc3

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for k7eela (3 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging k7eela across your stack and pipelines.
If you installed it — respond
k7eela is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If k7eela was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks k7eela before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. k7eela on PyPI has been identified as a malicious package (versions 0.1.1, 0.1.2, 0.1.3 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2025-047822025-08-k7eelRLUA-2026-00449

References

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks k7eela-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring