Which versions of setuptolos are malicious?

The following PyPI versions of setuptolos are flagged malicious: 0.1. Treat any of these as compromised.

How do I remediate setuptolos if I installed it?

setuptolos is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed setuptolos — how do I know if it already compromised me?

If setuptolos was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is setuptolos part of a known attack campaign?

Yes — setuptolos is associated with the RLMA-2024-11163, 2024-09-bondonioanderas-cryptominer, RLUA-2026-00754 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find setuptolos across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for setuptolos (version 0.1). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging setuptolos across your stack and pipelines.

Malicious package

setuptolosPyPI

Malicious code in setuptolos (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2024-11705

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall setuptolos

What this malware does

During installation, a cryptominer is secretly installed and started.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2024-09-bondonioanderas-cryptominer

Reasons (based on the campaign):

cryptominer
The package overrides the install command in setup.py to execute malicious code during installation.
obfuscation

Malicious versions

1 flagged

0.1

Indicators of compromise (SHA-256)

a25eb21a3c429a167cb3c50e372745257ebfdf61ae7f503bf947ffdf8601e08e

ade75be64ec274cc6c6769e08e0e7fa010b7307afeb703c9285c5a1541f31f13

89f6c10eb8edc13e9f46c33bba334822fbb3693527f3fc89714bd86adc3be1af

425a60f65a70798439baa6844f9ceb51e9f1d2881a7a5992a4fd56d9faf1323f

f83afe9d0289348582512e918db208efeccacf65f5a91b3e356ece01a9cad5ad

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for setuptolos (version 0.1). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging setuptolos across your stack and pipelines.
If you installed it — respond
setuptolos is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If setuptolos was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks setuptolos before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. setuptolos on PyPI has been identified as a malicious package (version 0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2024-111632024-09-bondonioanderas-cryptominerRLUA-2026-00754

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks setuptolos-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring