Which versions of reqeuts are malicious?

The following PyPI versions of reqeuts are flagged malicious: 2.32.2, 2.32.3. Treat any of these as compromised.

How do I remediate reqeuts if I installed it?

reqeuts is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed reqeuts — how do I know if it already compromised me?

If reqeuts was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is reqeuts part of a known attack campaign?

Yes — reqeuts is associated with the RLMA-2025-00509, 2024-12-reqesst, RLUA-2026-00697 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find reqeuts across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for reqeuts (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging reqeuts across your stack and pipelines.

Malicious package

reqeutsPyPI

Malicious code in reqeuts (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-968

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall reqeuts

What this malware does

Importing the module downloads and starts an infostealer attempting to exfiltrate data and establishing persistence through autorun directory.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2024-12-reqesst

Reasons (based on the campaign):

infostealer
peristence-autorun
typosquatting
exfiltration-generic
Downloads and executes a remote executable.
clones-real-package
dependency-confusion
exfiltration-browser-data
exfiltration-crypto

Malicious versions

2 flagged

2.32.22.32.3

Indicators of compromise (SHA-256)

d22c0342b6c036079e8b7b4b6b3a5f4daae2eeefaf0e5b62cb76586181377db5

ecc2e9de2d1d740d44a80be7a2d7270539740a22ffbcd38d54e4d326d05cc014

7f01ab0a32efcdc5ca1ef531f49392818b05b088503759e97611a529f61c37e5

23114278464e624b278875cefe6e9eda033c786374a1cf5520038e025705b7aa

d7e844e8462cb127b2bb117fa9d9f68334d2f211d692c3933d8517e795b0285f

263570739b500e20621cf0db253cc7ef856d7fbafd002aa8a0f1e8fc6e7d4950

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for reqeuts (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging reqeuts across your stack and pipelines.
If you installed it — respond
reqeuts is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If reqeuts was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks reqeuts before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. reqeuts on PyPI has been identified as a malicious package (versions 2.32.2, 2.32.3 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2025-005092024-12-reqesstRLUA-2026-00697

References

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks reqeuts-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring