Which versions of pytskcheck are malicious?

The following PyPI versions of pytskcheck are flagged malicious: 0.0.1. Treat any of these as compromised.

How do I remediate pytskcheck if I installed it?

pytskcheck is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed pytskcheck — how do I know if it already compromised me?

If pytskcheck was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is pytskcheck part of a known attack campaign?

Yes — pytskcheck is associated with the RLMA-2024-11142, 2024-08-embeds-RealtekHDAudioManager, RLUA-2026-00672 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find pytskcheck across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for pytskcheck (version 0.0.1). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging pytskcheck across your stack and pipelines.

Malicious package

pytskcheckPyPI

Malicious code in pytskcheck (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2024-11685

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall pytskcheck

What this malware does

Importing a module starts downloading and executing an infostealer, widely identified by AV/sandboxes.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2024-08-embeds-RealtekHDAudioManager

Reasons (based on the campaign):

infostealer
Downloads and executes a remote executable.

Malicious versions

1 flagged

0.0.1

Indicators of compromise (SHA-256)

9df3d22b10964a72bbdff3f6bfeb9731e5a61428d1ad15634dd04ba3b56ecc57

fa1d83cf6d43d0cd6461191a4416afba3e5b136c03b5d4289de38112257bf7a6

25d82b24b022549617724628ccd6d11da9cc713daffc187cc3531b5bf3ef07e8

013608417d1948ba63019f4b67a1b5b038a969e9016427481b797c01ee31f99e

4590ee37d244770d533594f8622c0c67da01bb5d4fc11ce044938c5acd5c5dee

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for pytskcheck (version 0.0.1). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging pytskcheck across your stack and pipelines.
If you installed it — respond
pytskcheck is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If pytskcheck was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks pytskcheck before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. pytskcheck on PyPI has been identified as a malicious package (version 0.0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2024-111422024-08-embeds-RealtekHDAudioManagerRLUA-2026-00672

References

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks pytskcheck-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring