Which versions of pythob are malicious?

The following PyPI versions of pythob are flagged malicious: 1.0.0. Treat any of these as compromised.

How do I remediate pythob if I installed it?

pythob is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed pythob — how do I know if it already compromised me?

If pythob was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is pythob part of a known attack campaign?

Yes — pythob is associated with the RLMA-2024-09019, funcaptcha-ru campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find pythob across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for pythob (version 1.0.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging pythob across your stack and pipelines.

Malicious package

pythobPyPI

Malicious code in pythob (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2024-10130

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall pythob

What this malware does

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: funcaptcha-ru

Reasons (based on the campaign):

infostealer

Malicious versions

1 flagged

1.0.0

Indicators of compromise (SHA-256)

0c0dbc9bbaf6ac0067d9d0ba7c976fef787fd816f732a70c738aa49a25583f50

2f70f3bf29ff4938015ff3e2684ae1758e98fcbfc7302c3d601cc186f10c7abf

53d392d18cc1c9bf6dc0650c5bba6ee2c9e6eb0c12a05c22a37dc04352582286

96c90216b9b82c3895150c7aebde42ae9473846f8481eb8319c4a7af60395b04

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for pythob (version 1.0.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging pythob across your stack and pipelines.
If you installed it — respond
pythob is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If pythob was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks pythob before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. pythob on PyPI has been identified as a malicious package (version 1.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2024-09019funcaptcha-ru

References

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks pythob-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring