What does the selfservsweeper malware do?

Package self-describes as a 'Touch-friendly Minesweeper overlay for NCR SelfServ kiosks', but the advertised CLI entrypoints (`selfservsweeper`, `selfservsweeper-cli`) call `run_app()` which auto-spawns `python -m selfservsweeper.selfservclient` as a side process. That module long-polls `https://api.telegram.org/bot /` using a hardcoded bot token shipped in `src/selfservsweeper/api_url.pkl`, accepts commands prefixed `B2B1:` from the Telegram channel `@selfservserverbot`, and executes attacker-supplied 'jobs'. The job handler in `selfservclient.py` includes a `/file ` directive that writes attacker-supplied content to disk, and `send_file_result` reads any `path` field from a

Which versions of selfservsweeper are malicious?

The following PyPI versions of selfservsweeper are flagged malicious: 0.1.7. Treat any of these as compromised.

How do I remediate selfservsweeper if I installed it?

selfservsweeper is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed selfservsweeper — how do I know if it already compromised me?

If selfservsweeper was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is selfservsweeper part of a known attack campaign?

Yes — selfservsweeper is associated with the 2026-05-selfservsweeper, IN-MAL-2026-003689 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find selfservsweeper across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for selfservsweeper (version 0.1.7). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging selfservsweeper across your stack and pipelines.

Malicious package

selfservsweeperPyPI

Malicious code in selfservsweeper (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-4221

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall selfservsweeper

What this malware does

Package self-describes as a 'Touch-friendly Minesweeper overlay for NCR SelfServ kiosks', but the advertised CLI entrypoints (selfservsweeper, selfservsweeper-cli) call run_app() which auto-spawns python -m selfservsweeper.selfservclient as a side process. That module long-polls https://api.telegram.org/bot<redacted>/ using a hardcoded bot token shipped in src/selfservsweeper/api_url.pkl, accepts commands prefixed B2B1: from the Telegram channel @selfservserverbot, and executes attacker-supplied 'jobs'. The job handler in selfservclient.py includes a /file <path> directive that writes attacker-supplied content to disk, and send_file_result reads any path field from a job result and uploads the raw bytes back to Telegram via sendDocument — a bidirectional read/write file primitive on the installer's machine. The Telegram bot token is identical for every install, so anyone who unpacks the wheel inherits command authority over every running instance. grammarly.py additionally loads bundled .pkl artifacts (levenshtein.pkl, user_config_tempdir.pkl) via pickle.load and binds the resulting callables as edit_distance_cls and Sandbox._is_valid_path, invoking them on attacker-controlled job text — an obfuscation channel for arbitrary code reduction. The install --enable-startup subcommand (and the GUI 'Enable' button) writes %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\SelfServSweeper.vbs, persisting the supervisor (and thus the Telegram client) across logins, and the supervisor's auto-update path pip installs the package on every boot to keep the backdoor live and self-updating. The minesweeper UI is cover; the package's effect on any installer who runs the advertised binary is a persistent, attacker-controlled remote command channel with file read/write reach.

When used, the package executes remote commands disguised as OCR job requests.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-05-selfservsweeper

Reasons (based on the campaign):

obfuscation
The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.
persistence
backdoor

Malicious versions

1 flagged

0.1.7

Indicators of compromise (SHA-256)

261d2d72c05ac44f1cc977e3ec5e1f42ff1634f80b06a4b84b62e9079b8de8db

f4823d3b817e9fbcbf9261be9b7d108a6321b3dfa3ad5ef945c89a16bb4e5286

81843a6f21fe31627b1e97fdb8ffe41789c1f921c60512347bbf2b0c2fb30121

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for selfservsweeper (version 0.1.7). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging selfservsweeper across your stack and pipelines.
If you installed it — respond
selfservsweeper is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If selfservsweeper was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks selfservsweeper before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. selfservsweeper on PyPI has been identified as a malicious package (version 0.1.7 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

2026-05-selfservsweeperIN-MAL-2026-003689

References

Credits

Amazon Inspector · finder
Kamil Mańkowski (kam193) · analyst

Detect & block this

O3 blocks selfservsweeper-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring