Which versions of rblxfando are malicious?

The following PyPI versions of rblxfando are flagged malicious: 0.1. Treat any of these as compromised.

How do I remediate rblxfando if I installed it?

rblxfando is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed rblxfando — how do I know if it already compromised me?

If rblxfando was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is rblxfando part of a known attack campaign?

Yes — rblxfando is associated with the RLMA-2025-02594, 2025-05-rblxfando, RLUA-2026-00687 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find rblxfando across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for rblxfando (version 0.1). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging rblxfando across your stack and pipelines.

Malicious package

rblxfandoPyPI

Malicious code in rblxfando (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-4237

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall rblxfando

What this malware does

Importing the module starts delayed downloading and starting a remote executable identified as BlankGrabber infostealer.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-05-rblxfando

Reasons (based on the campaign):

infostealer
Downloads and executes a remote executable.
malware
infostealer:blankgrabber

Malicious versions

1 flagged

0.1

Indicators of compromise (SHA-256)

71c3190c9136aa80c45bfe59119e33d939e8600b15ecee4bb10cbc4f3340220c

459f89ba5c8c6277489fa01ac51a1a2a3518da235661931c205639fe510aae8b

79348147677636191e632b65c78ba37a77d2ba57abed5c9b257624b0f14ba1b8

d6a7201f91dc04c7dc3779d41f23f88c22e399e65d5235b56fd5044a353a6383

33c2e61cb915612d6b71ff0f34f306d72647056a5333fe9012c753e762bb5da7

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for rblxfando (version 0.1). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging rblxfando across your stack and pipelines.
If you installed it — respond
rblxfando is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If rblxfando was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks rblxfando before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. rblxfando on PyPI has been identified as a malicious package (version 0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2025-025942025-05-rblxfandoRLUA-2026-00687

References

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks rblxfando-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring