Which versions of ml2000 are malicious?

The following PyPI versions of ml2000 are flagged malicious: 0.1.4. Treat any of these as compromised.

How do I remediate ml2000 if I installed it?

ml2000 carries a destructive/sabotage payload. Remove it immediately, restore any affected data from clean backups, and verify integrity of build outputs that may have been tampered with.

I already installed ml2000 — how do I know if it already compromised me?

If ml2000 was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is ml2000 part of a known attack campaign?

Yes — ml2000 is associated with the IN-MAL-2026-004205 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find ml2000 across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for ml2000 (version 0.1.4). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging ml2000 across your stack and pipelines.

Malicious package

ml2000PyPI

Malicious code in ml2000 (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-4756

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall ml2000

What this malware does

On invoking the ml2000 CLI with no arguments, interactive_menu() in src/ml_labs/generator.py writes a batch file and launches it via subprocess.Popen(["cmd.exe", "/c", bat_path], creationflags=DETACHED_PROCESS | CREATE_NO_WINDOW). The batch script runs taskkill /IM WindowsTerminal.exe /F, taskkill /IM cmd.exe /F, taskkill /IM powershell.exe /F, then pipx uninstall ml2000, then deletes itself. The use of detached/no-window flags hides this from the user, and the README advertises only ML notebook code generation — the destructive behavior is undisclosed. This is install/use-time destruction of installer-side resources: open terminal sessions are force-killed (causing loss of unsaved work in any other shell the user has open) and the package removes itself behind the user's back. Project metadata is also placeholder (Your Name <[email protected]>), corroborating that this is not a legitimate maintained release.

Malicious versions

1 flagged

0.1.4

Indicators of compromise (SHA-256)

871b57a598bf1230a64fa6ee85d442eb30f21915176835801871dc46c59cedf6

Detection & response playbook

Destructive / sabotage

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for ml2000 (version 0.1.4). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging ml2000 across your stack and pipelines.
If you installed it — respond
ml2000 carries a destructive/sabotage payload. Remove it immediately, restore any affected data from clean backups, and verify integrity of build outputs that may have been tampered with.
Did it already run?
If ml2000 was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks ml2000 before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. ml2000 on PyPI has been identified as a malicious package (version 0.1.4 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004205

References

pypi.org

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks ml2000-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring