Which versions of pipmodule83 are malicious?

The following PyPI versions of pipmodule83 are flagged malicious: 1.0.2. Treat any of these as compromised.

How do I remediate pipmodule83 if I installed it?

Remove pipmodule83 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

I already installed pipmodule83 — how do I know if it already compromised me?

If pipmodule83 was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is pipmodule83 part of a known attack campaign?

Yes — pipmodule83 is associated with the RLMA-2025-03662, 2025-07-pipmodule83, RLUA-2026-00594 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find pipmodule83 across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for pipmodule83 (version 1.0.2). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging pipmodule83 across your stack and pipelines.

Malicious package

pipmodule83PyPI

Malicious code in pipmodule83 (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-6565

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall pipmodule83

What this malware does

If run as a module, the package downloads and executes a remote script. At the time of check, the remote script was just opening a popup; thus it's not classified as clearly malicious.

Through the package description related to "cirhenly" package, which was uploaded by "0x92nw" - see campaign 2025-07-0x92nw

Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.

Campaign: 2025-07-pipmodule83

Reasons (based on the campaign):

Downloads and executes a remote malicious script.

Malicious versions

1 flagged

1.0.2

Indicators of compromise (SHA-256)

a3ef16c222720f6936569e3cb54d57c916954c86ec5f95495414c25af1041c40

7856b4f75afa0125606616ed3bf99110de22c8f90bad7ce4595cd05b241c47fb

95b01ea01a7fd1ff5e52491e6b143aa98f45a6f331814222fe38e76ad3ac0863

618aeb590e02926a184d2a0f61c2e3ce42d681a1b7c15a0438092ffb27759a41

14044cfef2d72e831a96ef47086bab2cf9644d221de1c1447797e5b35b8de453

Detection & response playbook

Malicious package

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for pipmodule83 (version 1.0.2). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging pipmodule83 across your stack and pipelines.
If you installed it — respond
Remove pipmodule83 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If pipmodule83 was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks pipmodule83 before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. pipmodule83 on PyPI has been identified as a malicious package (version 1.0.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2025-036622025-07-pipmodule83RLUA-2026-00594

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks pipmodule83-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring