Which versions of mennort are malicious?

The following PyPI versions of mennort are flagged malicious: 0.1.0. Treat any of these as compromised.

How do I remediate mennort if I installed it?

mennort is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed mennort — how do I know if it already compromised me?

If mennort was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is mennort part of a known attack campaign?

Yes — mennort is associated with the 2024-09-mennort campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find mennort across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for mennort (version 0.1.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging mennort across your stack and pipelines.

Malicious package

mennortPyPI

Malicious code in mennort (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2024-12305

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall mennort

What this malware does

Package sends out the data to a hardcoded webhook. However, it's clearly said in the description, thus - not really malicious.

Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.

Campaign: 2024-09-mennort

Reasons (based on the campaign):

The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.

Malicious versions

1 flagged

0.1.0

Indicators of compromise (SHA-256)

7358c3fbea88f86a27ca3533198952e5240c458d48eabe833e615d05843add9a

a18b704aee3dd3fa8d54027bbe2d6634696fcffaf194410e38fb5318d0d2a534

918aa07086969a68921f69dc3016d701f9b616caeb4234fdc0e02f60234962d1

8f4bd4dd3c75dcb72f9c4aaa9151e5e4ad127366f36092ed8760c0f945a0cd40

d4485fd74ad4238c6891abcd7714cd5394dcd5f88880d21f5660ce8e76a053d1

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for mennort (version 0.1.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging mennort across your stack and pipelines.
If you installed it — respond
mennort is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If mennort was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks mennort before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. mennort on PyPI has been identified as a malicious package (version 0.1.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

2024-09-mennort

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193)

Detect & block this

O3 blocks mennort-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring