Which versions of kgmicolors are malicious?

The following PyPI versions of kgmicolors are flagged malicious: 0.1.0, 0.1.1. Treat any of these as compromised.

How do I remediate kgmicolors if I installed it?

kgmicolors is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed kgmicolors — how do I know if it already compromised me?

If kgmicolors was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is kgmicolors part of a known attack campaign?

Yes — kgmicolors is associated with the RLMA-2025-01967, 2025-02-kgmicolors, RLUA-2026-00452 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find kgmicolors across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for kgmicolors (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging kgmicolors across your stack and pipelines.

Malicious package

kgmicolorsPyPI

Malicious code in kgmicolors (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-2969

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall kgmicolors

What this malware does

Package contains hidden code that downloads a next stage script, which finally downloads and starts a malware from XWORM family as well as an infostealer

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-02-kgmicolors

Reasons (based on the campaign):

infostealer
Downloads and executes a remote malicious script.
malware

Malicious versions

2 flagged

0.1.00.1.1

Indicators of compromise (SHA-256)

bc80c88fcc1a584c34053a62ab784fad10c283d3cfe6c35a19e8f63a72777c04

460b2269bc9b49d8cfc6a1f3e0233e91670c10ccfea39af9f3ccb7ebae3b6c11

0d93708c54253e6772832d4aa1ef7f59e5f4f4c159d5ffaaa4045d8267b15b30

6d73015363550c22c5ee553a7780fce74d0b79656b574184fb779717fda7b5a7

fa982acb4ba9f8d69a2901ac38a2c263287a5d10ab13ac64baf773db7df5a4ea

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for kgmicolors (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging kgmicolors across your stack and pipelines.
If you installed it — respond
kgmicolors is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If kgmicolors was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks kgmicolors before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. kgmicolors on PyPI has been identified as a malicious package (versions 0.1.0, 0.1.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2025-019672025-02-kgmicolorsRLUA-2026-00452

References

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks kgmicolors-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring