Which versions of nukecount are malicious?

The following PyPI versions of nukecount are flagged malicious: 0.1.1. Treat any of these as compromised.

How do I remediate nukecount if I installed it?

nukecount is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed nukecount — how do I know if it already compromised me?

If nukecount was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is nukecount part of a known attack campaign?

Yes — nukecount is associated with the RLMA-2025-04795, 2025-08-k7eel, RLUA-2026-00564 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find nukecount across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for nukecount (version 0.1.1). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging nukecount across your stack and pipelines.

Malicious package

nukecountPyPI

Malicious code in nukecount (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-47790

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall nukecount

What this malware does

Importing the module downloads and executes widely recognized malware

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-08-k7eel

Reasons (based on the campaign):

Downloads and executes a remote executable.
malware

Malicious versions

1 flagged

0.1.1

Indicators of compromise (SHA-256)

5f371af2f78baca9c6df5d1ad51023a7bfe0d6af4f9b44c2109031d995446014

e4914f8c068616e63b597c8d478f7ccc10b8e42bfa9811c1de0124283a013d61

1c580cf8d8131f2ffd1d0f7b171d118de85e69ef0f1d1b67f5ebc8b5ce3c804d

17c1e6b85b746f40fd1b00e414b1a56c1c22032954d01cc1ba7452db89d3645d

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for nukecount (version 0.1.1). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging nukecount across your stack and pipelines.
If you installed it — respond
nukecount is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If nukecount was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks nukecount before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. nukecount on PyPI has been identified as a malicious package (version 0.1.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2025-047952025-08-k7eelRLUA-2026-00564

References

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks nukecount-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring