Which versions of requests-enhancer are malicious?

The following PyPI versions of requests-enhancer are flagged malicious: 1.4.2. Treat any of these as compromised.

How do I remediate requests-enhancer if I installed it?

Remove requests-enhancer from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is requests-enhancer part of a known attack campaign?

Yes — requests-enhancer is associated with the 2026-06-requests-enhancer campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect requests-enhancer in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking requests-enhancer and packages like it before any post-install script runs.

Malicious package

requests-enhancerPyPI

Malicious code in requests-enhancer (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-6247

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall requests-enhancer

What this malware does

Malicious package with a chain of multiple manual dependencies to finally download malicious code. During import, it manually downloads a dependency from GitHub repository "Hexa-devy/netflow-utils", which then attempts to download "codexio-boop/platform_syslib". The last one contains obfuscated code that during installation connects with node22.lunes[.]host:3258 and downloads encrypted payload. The payload is executed, and it then starts another loop of connections to node22.lunes[.]host:22240 and awaits next payloads to execute. During analysis, this stage did not deliver any payload. On every stage, short-living generated tokens are used.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-requests-enhancer

Reasons (based on the campaign):

backdoor
The package overrides the install command in setup.py to execute malicious code during installation.
obfuscation
The malicious code is intentionally included in a dependency of the package
The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.

Malicious versions

1 flagged

1.4.2

Indicators of compromise (SHA-256)

950c9d9155d6ba10a8d63c365fc6c7cc97d8bc6210165f93282d9e198ed3dd62

Frequently asked questions

No. requests-enhancer on PyPI has been identified as a malicious package (version 1.4.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

2026-06-requests-enhancer

References

Credits

Kamil Mańkowski (kam193) · reporter

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection