Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
Malicious package

pipspeedPyPI

Malicious code in pipspeed (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-10213
Immediate action
Remove the package, then rotate any secrets the build/runtime could reach.
pip uninstall pipspeed

What this malware does

The package's advertised public entry point pipspeed._optimize() GETs a JSON document from https://www.jsonkeeper.com/b/53XMN (an anonymous, mutable paste host) and reads package, function, and args fields from the response. It then runs pip install <package> via subprocess, importlib.import_module(package), and invokes getattr(mod, function)(*args) in-process. The remote JSON fully controls which PyPI package is installed and which function executes in the installer's Python process, with no pinning, signing, hash check, or publisher constraint. Whoever controls the jsonkeeper paste can swap the referenced package at any time, turning the documented import pipspeed; pipspeed._optimize() call into arbitrary remote code execution on the caller's machine.

Malicious versions

1 flagged
0.1.0

Indicators of compromise (SHA-256)

b1037d713fe94f92e9f1302a1c8fdfcd03ee290e1f2076e7c01cbd1305499e91

Detection & response playbook

Malicious package
  1. Find it

    Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for pipspeed (version 0.1.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging pipspeed across your stack and pipelines.

  2. If you installed it — respond

    Remove pipspeed from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

  3. Did it already run?

    If pipspeed was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

  4. How O3 protects you

    O3 blocks pipspeed before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. pipspeed on PyPI has been identified as a malicious package (version 0.1.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-009767

References

Credits

  • Amazon Inspector · finder

Detect & block this

O3 blocks pipspeed-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.