Which versions of perfviewer are malicious?

The following PyPI versions of perfviewer are flagged malicious: 14.2.1, 14.2.2, 14.2.3, 14.2.4, 14.2.5. Treat any of these as compromised.

How do I remediate perfviewer if I installed it?

perfviewer is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed perfviewer — how do I know if it already compromised me?

If perfviewer was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is perfviewer part of a known attack campaign?

Yes — perfviewer is associated with the 2025-11-perfviewer, RLMA-2025-06580, RLUA-2026-00588 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find perfviewer across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for perfviewer (5 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging perfviewer across your stack and pipelines.

Malicious package

perfviewerPyPI

Malicious code in perfviewer (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-191814

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall perfviewer

What this malware does

During installation, code downloads and starts an executable and a DLL library. After starting them, files are removed from the disk. The executable has been recognized as AsyncRAT

This is a copy of legitimate "rich" package.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-11-perfviewer

Reasons (based on the campaign):

Downloads and executes a remote executable.
clones-real-package
malware

Malicious versions

5 flagged

14.2.114.2.214.2.314.2.414.2.5

Indicators of compromise (SHA-256)

c763880ca204a5adf4bc2241d929f6fd4256a26f54fca4b714b9a6b6791b1d2c

ea912a2de677fa6d9ea6dbf9a792dace4d927efd46a5cb615ba8548fec4930e8

f23958ec66020bb0dd7fd02c6b93d6ee7e7632c1933dcfa43e4e74df08b5b394

df2cf3e3faae6a85c12c522517740fd322ffdf3b28da8f83d491ca07082d1d0d

b0a8f740f690b447968b6e58cbfce4d3cb4a3e98fa2281bc6c4d7f56f46da411

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for perfviewer (5 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging perfviewer across your stack and pipelines.
If you installed it — respond
perfviewer is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If perfviewer was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks perfviewer before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. perfviewer on PyPI has been identified as a malicious package (versions 14.2.1, 14.2.2, 14.2.3, 14.2.4, 14.2.5 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

2025-11-perfviewerRLMA-2025-06580RLUA-2026-00588

References

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks perfviewer-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring