Which versions of requesttss are malicious?

The following PyPI versions of requesttss are flagged malicious: 1.1.1, 2.28.1. Treat any of these as compromised.

How do I remediate requesttss if I installed it?

requesttss is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed requesttss — how do I know if it already compromised me?

If requesttss was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is requesttss part of a known attack campaign?

Yes — requesttss is associated with the RLMA-2025-01237, 2025-01-rqsts, RLUA-2026-00713, RLUA-2026-02081 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find requesttss across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for requesttss (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging requesttss across your stack and pipelines.

Malicious package

requesttssPyPI

Malicious code in requesttss (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-1994

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall requesttss

What this malware does

Clone of the requests package that modified the code to send all get and post requests to a hardcoded URL

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-01-rqsts

Reasons (based on the campaign):

clones-real-package
dependency-confusion
action-hidden-in-lib-usage

Malicious versions

2 flagged

1.1.12.28.1

Indicators of compromise (SHA-256)

ff4f5b53c4f94fe47f59710010f219b935128c2a5bb207acfec6702663fdff32

534cd9b41b514c90127542dea88d24d596d4528fecce2b5ea783e47ba49a1a27

12a8bc9313963cfa671547d93bfa32236afe6b7dfeeec048633a547aa05dbc12

bf4ac05c53d959e995caeee2ee5000af6d9e570a37686f7a777ef7f6c7ded10b

bd172130eba7e47288ce128c8cc7bb57e28de6e67330290baf9e4435873b994d

4853bc2964e7e3d39cf0b211243f054a7bd5548ebbf7cfdb4f912f063d90687e

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for requesttss (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging requesttss across your stack and pipelines.
If you installed it — respond
requesttss is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If requesttss was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks requesttss before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. requesttss on PyPI has been identified as a malicious package (versions 1.1.1, 2.28.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2025-012372025-01-rqstsRLUA-2026-00713RLUA-2026-02081

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks requesttss-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring