What does the pyhttpproxifier malware do?

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2023-11-update-information-endpoint Reasons (based on the campaign): - obfuscation - The package overrides the install command in setup.py to execute malicious code during installation. - typosquatting

Which versions of pyhttpproxifier are malicious?

The following PyPI versions of pyhttpproxifier are flagged malicious: 0.9.2, 0.9.3. Treat any of these as compromised.

How do I remediate pyhttpproxifier if I installed it?

pyhttpproxifier is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed pyhttpproxifier — how do I know if it already compromised me?

If pyhttpproxifier was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is pyhttpproxifier part of a known attack campaign?

Yes — pyhttpproxifier is associated with the RLMA-2024-04507, RLUA-2024-08945, 2023-11-update-information-endpoint, RLUA-2025-06581, RLUA-2026-00635 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find pyhttpproxifier across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for pyhttpproxifier (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging pyhttpproxifier across your stack and pipelines.

Malicious package

pyhttpproxifierPyPI

Malicious code in pyhttpproxifier (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2024-5721

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall pyhttpproxifier

What this malware does

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2023-11-update-information-endpoint

Reasons (based on the campaign):

obfuscation
The package overrides the install command in setup.py to execute malicious code during installation.
typosquatting

Malicious versions

2 flagged

0.9.20.9.3

Indicators of compromise (SHA-256)

ea9afb1ee122cb2d9ac43a293fbf3fea7c76bab4ec771a45d718d9f5f5176ecb

dc55c4f27862e384c8f466b8b3ea8a784dd2afb75916767c22f811fe8f7f2163

39d1db7e77e25ff58111cef492a839286cbc3635cd7e50794cf218db3b111286

39705bbe10a91b3e2c4279406418971389f07807bb4544b10fb9710bdc0fb0ef

770fa96aa12f920d2c69a15706cf9b92c331e26693d4bf5c0f13f6d90b0cbda3

0c444844511c3332bbb9825a35cddb5b98af27df75ac5c8185a5597df5fbb75b

2395573889c3ebd57f5d26ad2da7316a45eccd28bb073635c7bb20c4fbb3a998

41f0c376c0598bcf3c029927c85034bc9cbbe2f0e028554964d940b4b18d4269

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for pyhttpproxifier (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging pyhttpproxifier across your stack and pipelines.
If you installed it — respond
pyhttpproxifier is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If pyhttpproxifier was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks pyhttpproxifier before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. pyhttpproxifier on PyPI has been identified as a malicious package (versions 0.9.2, 0.9.3 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2024-04507RLUA-2024-089452023-11-update-information-endpointRLUA-2025-06581RLUA-2026-00635

References

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks pyhttpproxifier-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring