ryry-cliPyPI
Malicious code in ryry-cli (PyPI) Remove it immediately and rotate any exposed credentials.
What this malware does
ryry-cli runs as a long-lived agent that connects to a hardcoded WebSocket at wss://api.dalipen.com/aigc/task/connect and executes Python scripts under subprocess.Popen based on task messages sent by that server. During its polling loop it calls aigc/task/getAutoDeployWidget and, for each entry the server returns, runs pip install <server-supplied URL> on arbitrary wheels or downloads a zip and installs its requirements.txt, giving the remote endpoint unattended code execution on the host. utils.check_restart() writes a shell script that runs apt-get update && apt-get upgrade && apt-get install -y... and pip install -U ryry-cli and schedules it via at now + 1 minutes or Windows schtasks, mutating system packages and self-upgrading the CLI outside the user's package manager. taskUtils posts JSON payloads containing socket.gethostname() and a MAC/CPU-serial-derived device id, plus task log files, to a hardcoded WeChat work webhook at qyapi.weixin.qq.com/cgi-bin/webhook/send with an embedded key. A server-supplied Mihomo/Clash subscription URL fetched from aigc/task/config is applied by proxy_manager to route the agent's outbound traffic through an author-controlled proxy configuration. The package also embeds base64-encoded Aliyun OSS access-key ID and secret (utils.K1/K2) that are decoded at runtime and used to PUT files to the author's p-template-hk / p-upload-gz buckets.
Malicious versions
Indicators of compromise (SHA-256)
Detection & response playbook
Malicious packageFind it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for ryry-cli (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging ryry-cli across your stack and pipelines.
If you installed it — respond
Remove ryry-cli from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If ryry-cli was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks ryry-cli before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.
Frequently asked questions
Campaign
References
Credits
- Amazon Inspector · finder
Detect & block this
O3 blocks ryry-cli-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.