Which versions of pyobfuscation are malicious?

The following PyPI versions of pyobfuscation are flagged malicious: 0.1.0. Treat any of these as compromised.

How do I remediate pyobfuscation if I installed it?

pyobfuscation is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed pyobfuscation — how do I know if it already compromised me?

If pyobfuscation was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is pyobfuscation part of a known attack campaign?

Yes — pyobfuscation is associated with the RLMA-2025-03668, 2025-05-pyobfuscation, RLUA-2026-00641 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find pyobfuscation across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for pyobfuscation (version 0.1.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging pyobfuscation across your stack and pipelines.

Malicious package

pyobfuscationPyPI

Malicious code in pyobfuscation (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-6570

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall pyobfuscation

What this malware does

During installation, an executable is downloaded and started. It's been identified to contain Brute Ratel C4 components

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-05-pyobfuscation

Reasons (based on the campaign):

Downloads and executes a remote executable.
malware
obfuscation

Malicious versions

1 flagged

0.1.0

Indicators of compromise (SHA-256)

4f7751b060181cea4f3b7da11f3306c9057843379d6b0aca2f22afebebf30042

058fcd870cd771f9287f8a5004423f12ad7d47f5fce5840eb25c348534fdf6c2

f8e00692944f5cafaa4c7fdb9974554f20629bd4581e2c68baa5f1b0ca675def

91d282d471eada34f3697e9705cc7be31875eceddefd054edf1a249c1d4a2928

c5e1f568a3b49a8e9b8f06dff161ba0fdbaf317d85584df26472d1ceb52c04e2

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for pyobfuscation (version 0.1.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging pyobfuscation across your stack and pipelines.
If you installed it — respond
pyobfuscation is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If pyobfuscation was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks pyobfuscation before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. pyobfuscation on PyPI has been identified as a malicious package (version 0.1.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2025-036682025-05-pyobfuscationRLUA-2026-00641

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks pyobfuscation-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring