Which versions of murkh1111 are malicious?

The following PyPI versions of murkh1111 are flagged malicious: 1.0.99. Treat any of these as compromised.

How do I remediate murkh1111 if I installed it?

murkh1111 is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed murkh1111 — how do I know if it already compromised me?

If murkh1111 was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is murkh1111 part of a known attack campaign?

Yes — murkh1111 is associated with the RLMA-2025-03648, GENERIC-standard-pypi-install-pentest, RLUA-2026-00541 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find murkh1111 across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for murkh1111 (version 1.0.99). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging murkh1111 across your stack and pipelines.

Malicious package

murkh1111PyPI

Malicious code in murkh1111 (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-6551

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall murkh1111

What this malware does

Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose.

Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.

Campaign: GENERIC-standard-pypi-install-pentest

Reasons (based on the campaign):

The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.
The package overrides the install command in setup.py to execute malicious code during installation.

Malicious versions

1 flagged

1.0.99

Indicators of compromise (SHA-256)

4ca90b510e12c0045c66eb21e221e6e0c8f11690fe6fd3fb56d205275cd24108

d3936eae22c9cf2a2974d5af0839b630c29f9277ade7ac54681afe01d90cb8f0

906d5f09d6b21967d1f368837e8208faaccf4d609537ad596c58dd76a5c93a8c

b6b268ce057d03d00ba67f2e1543b6bb8dc0fee0a19732011841956f8b8d882c

4bd4b001ad3338cb8c1417325f00cd49a8a2cb0aa3ae67ac82433c5fb03c743b

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for murkh1111 (version 1.0.99). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging murkh1111 across your stack and pipelines.
If you installed it — respond
murkh1111 is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If murkh1111 was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks murkh1111 before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. murkh1111 on PyPI has been identified as a malicious package (version 1.0.99 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2025-03648GENERIC-standard-pypi-install-pentestRLUA-2026-00541

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks murkh1111-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring