Which versions of pojang-resorter are malicious?

The following PyPI versions of pojang-resorter are flagged malicious: 0.1, 0.2, 0.3, 0.4, 0.5, 0.6, 0.7, 1.0, 1.2, 1.6.2, 1.22, 1.25, 1.92, 1.97, 1.926, 1.9626, 2.3, 2.4, 2.31, 2.32.1, and 36 more. Treat any of these as compromised.

How do I remediate pojang-resorter if I installed it?

pojang-resorter is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed pojang-resorter — how do I know if it already compromised me?

If pojang-resorter was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is pojang-resorter part of a known attack campaign?

Yes — pojang-resorter is associated with the RLMA-2024-11117, 2024-08-pojang-resorter, RLUA-2026-00598 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find pojang-resorter across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for pojang-resorter (56 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging pojang-resorter across your stack and pipelines.

Malicious package

pojang-resorterPyPI

Malicious code in pojang-resorter (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2024-11660

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall pojang-resorter

What this malware does

Early versions used overriding install command to take screenshots, then it moved to automated installing an infostealer. Later the behaviour was changed and looks like being a toolkit to install malware, yet, depending on version, containing an automated infostealer installation. The exact code is partially hidden behind different obfuscation methods.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2024-08-pojang-resorter

Reasons (based on the campaign):

infostealer
The package overrides the install command in setup.py to execute malicious code during installation.
Downloads and executes a remote executable.
obfuscation
exfiltration-generic

Malicious versions

56 flagged

0.10.20.30.40.50.60.71.01.21.6.21.221.251.921.971.9261.96262.32.42.312.32.12.32.22.32.32.32.52.32.62.32.72.32.82.32.92.32.102.32.112.32.122.32.132.32.142.32.152.32.162.32.172.32.182.32.192.32.202.32.212.32.222.32.232.32.242.32.252.32.262.32.292.32.302.32.312.32.332.32.352.332.345.55.65.6.15.6.25.6.3

Indicators of compromise (SHA-256)

32c46121ce286dd93e238b8c32109d1bd2b2db2d0c9625b54c58d7c9a83132f8

25a900f69627a1ddda55398fb22b00e30fe1a80967a07d0ef2ee48ee22e6e628

2b5f9cd53d855ccc1ebed2b1f9dc610af8ee0978f5fa689cad954b3a56b1a22b

276307cb967db6b8578e23287085b8e186a88da47cdd7530cfa4bfb649e8a7c6

09781b6135eae3c4ff14430850b82116b9c2472214b517c98455d150ae52947d

37bba5e5599491c09bfb3bed2f869a8aaf2d7da2bd1f75c897b028954b7b68ff

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for pojang-resorter (56 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging pojang-resorter across your stack and pipelines.
If you installed it — respond
pojang-resorter is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If pojang-resorter was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks pojang-resorter before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. pojang-resorter on PyPI has been identified as a malicious package (versions 0.1, 0.2, 0.3, 0.4, 0.5, 0.6, 0.7, 1.0, and 48 more flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2024-111172024-08-pojang-resorterRLUA-2026-00598

References

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks pojang-resorter-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring