What does the libsock malware do?

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2023-11-update-information-endpoint Reasons (based on the campaign): - obfuscation - The package overrides the install command in setup.py to execute malicious code during installation. - typosquatting

Which versions of libsock are malicious?

The following PyPI versions of libsock are flagged malicious: 1.1.0, 1.1.3. Treat any of these as compromised.

How do I remediate libsock if I installed it?

libsock is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed libsock — how do I know if it already compromised me?

If libsock was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is libsock part of a known attack campaign?

Yes — libsock is associated with the RLMA-2024-04107, RLUA-2024-08471, 2023-11-update-information-endpoint, RLUA-2025-06572, RLUA-2026-00470 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find libsock across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for libsock (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging libsock across your stack and pipelines.

Malicious package

libsockPyPI

Malicious code in libsock (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2024-5325

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall libsock

What this malware does

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2023-11-update-information-endpoint

Reasons (based on the campaign):

obfuscation
The package overrides the install command in setup.py to execute malicious code during installation.
typosquatting

Malicious versions

2 flagged

1.1.01.1.3

Indicators of compromise (SHA-256)

74e9c1c0d56be08681f2347e7a45296f31c8c49b78eaf17c9a5fd7e2c610b836

7a615347539330614ba7156383cc8bb90f6abcd84f9636a4de17659825db0b59

ecbe2bc8b2c0d658a96156e7d7b6d71176492493bc325404b473a77a61f20f48

8894e90cf943b19a12209f27fbd96009bc1c0c63af51f723208570e1afae2c47

0a6dbb368cef015d08b51bd6f3f2a3b7ba6bfa0c31175b761023c080a8edf470

cfa1c23a3a97268aff98963dc583a071e1d1c81111f910599d210506facd446d

7f63cfe26759fe925e88f385129e2845bb346cd4596efded11337dba9bf467be

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for libsock (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging libsock across your stack and pipelines.
If you installed it — respond
libsock is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If libsock was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks libsock before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. libsock on PyPI has been identified as a malicious package (versions 1.1.0, 1.1.3 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2024-04107RLUA-2024-084712023-11-update-information-endpointRLUA-2025-06572RLUA-2026-00470

References

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks libsock-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring