Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
Malicious package

ryry-cliPyPI

Malicious code in ryry-cli (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-10759
Immediate action
Remove the package, then rotate any secrets the build/runtime could reach.
pip uninstall ryry-cli

What this malware does

ryry-cli runs as a long-lived agent that connects to a hardcoded WebSocket at wss://api.dalipen.com/aigc/task/connect and executes Python scripts under subprocess.Popen based on task messages sent by that server. During its polling loop it calls aigc/task/getAutoDeployWidget and, for each entry the server returns, runs pip install <server-supplied URL> on arbitrary wheels or downloads a zip and installs its requirements.txt, giving the remote endpoint unattended code execution on the host. utils.check_restart() writes a shell script that runs apt-get update && apt-get upgrade && apt-get install -y... and pip install -U ryry-cli and schedules it via at now + 1 minutes or Windows schtasks, mutating system packages and self-upgrading the CLI outside the user's package manager. taskUtils posts JSON payloads containing socket.gethostname() and a MAC/CPU-serial-derived device id, plus task log files, to a hardcoded WeChat work webhook at qyapi.weixin.qq.com/cgi-bin/webhook/send with an embedded key. A server-supplied Mihomo/Clash subscription URL fetched from aigc/task/config is applied by proxy_manager to route the agent's outbound traffic through an author-controlled proxy configuration. The package also embeds base64-encoded Aliyun OSS access-key ID and secret (utils.K1/K2) that are decoded at runtime and used to PUT files to the author's p-template-hk / p-upload-gz buckets.

Malicious versions

2 flagged
6.266.28

Indicators of compromise (SHA-256)

0f7442ffccbf15fb45fc58c95556658f0070d3f0fdb3956bb5a3afa2b0cf4be2
4a305ba94c92b6ec62aaf627fc1213d9e37e1645f37fd033f61c7becaba71edd

Detection & response playbook

Malicious package
  1. Find it

    Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for ryry-cli (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging ryry-cli across your stack and pipelines.

  2. If you installed it — respond

    Remove ryry-cli from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

  3. Did it already run?

    If ryry-cli was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

  4. How O3 protects you

    O3 blocks ryry-cli before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. ryry-cli on PyPI has been identified as a malicious package (versions 6.26, 6.28 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-010736IN-MAL-2026-010761

References

Credits

  • Amazon Inspector · finder

Detect & block this

O3 blocks ryry-cli-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

ryry-cli (PyPI) malicious package — MAL-2026-10759 | O3 Security