Which versions of pycacheopt are malicious?

The following PyPI versions of pycacheopt are flagged malicious: 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7. Treat any of these as compromised.

How do I remediate pycacheopt if I installed it?

pycacheopt is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed pycacheopt — how do I know if it already compromised me?

If pycacheopt was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is pycacheopt part of a known attack campaign?

Yes — pycacheopt is associated with the 2026-05-pycacheopt campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find pycacheopt across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for pycacheopt (7 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging pycacheopt across your stack and pipelines.

Malicious package

pycacheoptPyPI

Malicious code in pycacheopt (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-3371

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall pycacheopt

What this malware does

The extension module hides code that in specific circumstances executes given code. The malicious action is hidden only in the extension module with the same-named Python code file containing only benign code.

This campaign was first detected by Aikido Security.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-05-pycacheopt

Reasons (based on the campaign):

other
The package contains code to detect if it is running in a sandbox environment.

Malicious versions

7 flagged

0.2.10.2.20.2.30.2.40.2.50.2.60.2.7

Indicators of compromise (SHA-256)

cf50eae305079227b5283e08547cc201f941624c95e49460c3e6544cdd1e221b

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for pycacheopt (7 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging pycacheopt across your stack and pipelines.
If you installed it — respond
pycacheopt is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If pycacheopt was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks pycacheopt before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. pycacheopt on PyPI has been identified as a malicious package (versions 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

2026-05-pycacheopt

References

Credits

Kamil Mańkowski (kam193) · reporter

Detect & block this

O3 blocks pycacheopt-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring