Which versions of logax are malicious?

The following PyPI versions of logax are flagged malicious: 1, 1.5, 2.4, 2.5, 2.7, 2.9, 3.1, 3.2, 3.4, 3.5, 3.6, 3.7, 3.8, 3.9, 4, 4.0, 4.2, 4.3, 4.5, 4.8, and 7 more. Treat any of these as compromised.

How do I remediate logax if I installed it?

logax is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed logax — how do I know if it already compromised me?

If logax was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is logax part of a known attack campaign?

Yes — logax is associated with the RLMA-2025-02512, 2025-03-logax, RLUA-2026-00475 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find logax across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for logax (27 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging logax across your stack and pipelines.

Malicious package

logaxPyPI

Malicious code in logax (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-3450

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall logax

What this malware does

The package is capable of installing malware from a hardcoded URL. The malware is well-recognized and acts as infostealer. Interestingly, it uses Steam profiles to get the current C2 domain (based on sandbox analysis).

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-03-logax

Reasons (based on the campaign):

infostealer
malware

Malicious versions

27 flagged

11.52.42.52.72.93.13.23.43.53.63.73.83.944.04.24.34.54.84.955.05.25.35.48.3

Indicators of compromise (SHA-256)

14dec44fd3afb9745d8838e0570fb0e0db4fd51f3a101e8b065ea53534286f6c

2bbac92c2eb7e20fcf7b96dcd2a6e96353d9e5e0cbb7b9de97ec258645995264

e129e6d6d38e21a039bd2190e3138f1381ad386e45a49521621a8b8ad61f7678

04e36d292d30c17c677e673242120722d25b56cc1e4c8f11766323e96bcbe2e5

0828cc74cc0f7033c0bf58055fc419a5f1db7b5f7f5281e640ba0cd7c4cb416d

7efcd8806bb1b3f40893dcfba0dc66b8251397e6a41dd335ca318a116446b599

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for logax (27 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging logax across your stack and pipelines.
If you installed it — respond
logax is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If logax was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks logax before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. logax on PyPI has been identified as a malicious package (versions 1, 1.5, 2.4, 2.5, 2.7, 2.9, 3.1, 3.2, and 19 more flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2025-025122025-03-logaxRLUA-2026-00475

References

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks logax-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring