Which versions of requetses are malicious?

The following PyPI versions of requetses are flagged malicious: 0.1, 0.5. Treat any of these as compromised.

How do I remediate requetses if I installed it?

requetses is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed requetses — how do I know if it already compromised me?

If requetses was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is requetses part of a known attack campaign?

Yes — requetses is associated with the RLMA-2025-00515, 2024-12-requetses, RLUA-2026-00715 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find requetses across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for requetses (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging requetses across your stack and pipelines.

Malicious package

requetsesPyPI

Malicious code in requetses (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-974

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall requetses

What this malware does

Under a typosquatting name there is a package prepared to exfiltrate photos from a phone, although it requires external trigger.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2024-12-requetses

Reasons (based on the campaign):

typosquatting
files-exfiltration

Malicious versions

2 flagged

0.10.5

Indicators of compromise (SHA-256)

ae97c6a840769c7e87dc8cdcdb9c58bf711d2336939d28c4ace73e8471f7c753

84ab8ed88f67ad04de7e01f72e6ff79c3a7976066eeaef9c9a4257136602e3a6

d43e83ac1c0257aa1168edf9c20430524b46520f60a5f5a0c0e1c2040afa0c87

2dc48c2880ae219b50518b3466c641427e9eb7c3172ef4b23e301b9003db50f6

6df1ad0cd91f8fddf5fc43b49103306171b2d3247ff67141bcf30519a8dba60b

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for requetses (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging requetses across your stack and pipelines.
If you installed it — respond
requetses is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If requetses was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks requetses before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. requetses on PyPI has been identified as a malicious package (versions 0.1, 0.5 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2025-005152024-12-requetsesRLUA-2026-00715

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks requetses-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring