Which versions of pyutilsplus are malicious?

The following PyPI versions of pyutilsplus are flagged malicious: 0.5, 0.6, 0.7. Treat any of these as compromised.

How do I remediate pyutilsplus if I installed it?

Remove pyutilsplus from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

I already installed pyutilsplus — how do I know if it already compromised me?

If pyutilsplus was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is pyutilsplus part of a known attack campaign?

Yes — pyutilsplus is associated with the RLMA-2024-04633, RLUA-2024-09089 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find pyutilsplus across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for pyutilsplus (3 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging pyutilsplus across your stack and pipelines.

Malicious package

pyutilsplusPyPI

Malicious code in pyutilsplus (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2024-5835

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall pyutilsplus

Malicious versions

3 flagged

0.50.60.7

Indicators of compromise (SHA-256)

1168949f9463db2ef23c3193380fe042fbda182ff02a6678fccc47d2e88e1966

d8ff993c0852f41edf78addca3dd81fe1fd0e8c6a8be1d2aabf56725d35da02c

Detection & response playbook

Malicious package

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for pyutilsplus (3 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging pyutilsplus across your stack and pipelines.
If you installed it — respond
Remove pyutilsplus from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If pyutilsplus was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks pyutilsplus before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. pyutilsplus on PyPI has been identified as a malicious package (versions 0.5, 0.6, 0.7 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2024-04633RLUA-2024-09089

Credits

ReversingLabs · finder

Detect & block this

O3 blocks pyutilsplus-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring

pyutilsplusPyPI

Malicious versions

Indicators of compromise (SHA-256)

Detection & response playbook

Find it

If you installed it — respond

Did it already run?

How O3 protects you

Frequently asked questions

Campaign

Credits

Detect & block this