Which versions of network-utils-simple are malicious?

The following PyPI versions of network-utils-simple are flagged malicious: 1.0.0, 1.1.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.2.9, 1.3.0, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8. Treat any of these as compromised.

How do I remediate network-utils-simple if I installed it?

network-utils-simple is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed network-utils-simple — how do I know if it already compromised me?

If network-utils-simple was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is network-utils-simple part of a known attack campaign?

Yes — network-utils-simple is associated with the 2025-02-network-utils-simple campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find network-utils-simple across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for network-utils-simple (19 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging network-utils-simple across your stack and pipelines.

Malicious package

network-utils-simplePyPI

Malicious code in network-utils-simple (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-191803

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall network-utils-simple

What this malware does

During installation, there is an attempt to download and execute code. The package has no real functionality.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-02-network-utils-simple

Reasons (based on the campaign):

Downloads and executes a remote executable.
The package overrides the install command in setup.py to execute malicious code during installation.

Malicious versions

19 flagged

1.0.01.1.01.2.11.2.21.2.31.2.41.2.51.2.61.2.71.2.81.2.91.3.01.3.21.3.31.3.41.3.51.3.61.3.71.3.8

Indicators of compromise (SHA-256)

bc0c49092004be85dfeb1bde20187a0064ef40d2085df3aaf4fd5cf2e83c8a8f

1fd943d3243197ac153b2623548e62b4225a59f611cf13fe962bc3ced369a32d

1771b174e3a524e62418469f2f9485ca3d5d0ccd7bfa76243a152d2c35fcec9d

7f1712ca8ff4e22e19054082ecda7ef7b746121d7cb8662c1342d4804808dfb3

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for network-utils-simple (19 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging network-utils-simple across your stack and pipelines.
If you installed it — respond
network-utils-simple is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If network-utils-simple was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks network-utils-simple before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. network-utils-simple on PyPI has been identified as a malicious package (versions 1.0.0, 1.1.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, and 11 more flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

2025-02-network-utils-simple

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193)

Detect & block this

O3 blocks network-utils-simple-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring