Which versions of requesr are malicious?

The following PyPI versions of requesr are flagged malicious: 2.32.2, 2.32.3. Treat any of these as compromised.

How do I remediate requesr if I installed it?

requesr is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed requesr — how do I know if it already compromised me?

If requesr was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is requesr part of a known attack campaign?

Yes — requesr is associated with the 2024-12-reqesst campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find requesr across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for requesr (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging requesr across your stack and pipelines.

Malicious package

requesrPyPI

Malicious code in requesr (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2024-12338

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall requesr

What this malware does

Importing the module downloads and starts an infostealer attempting to exfiltrate data and establishing persistence through autorun directory.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2024-12-reqesst

Reasons (based on the campaign):

infostealer
peristence-autorun
typosquatting
exfiltration-generic
Downloads and executes a remote executable.
clones-real-package
dependency-confusion
exfiltration-browser-data
exfiltration-crypto

Malicious versions

2 flagged

2.32.22.32.3

Indicators of compromise (SHA-256)

d770e81fd292e7197f38c6d0ae24eba80b80b257f7f1f62901f4f56ad1360af4

b792f17b467610a1021820a7718884aa436487a9ec75d5ebf889d400efeaec24

ab3aac1ba180fd7c8e4a17edeb7a4e7a8345d73f342e5e78751910ca2876e85c

a1ee8dfb075ecc00ec6f59ffc7500417dc3f1837ff205d96d7dc9a7d9fb817d0

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for requesr (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging requesr across your stack and pipelines.
If you installed it — respond
requesr is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If requesr was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks requesr before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. requesr on PyPI has been identified as a malicious package (versions 2.32.2, 2.32.3 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

2024-12-reqesst

References

Credits

Kamil Mańkowski (kam193)

Detect & block this

O3 blocks requesr-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring