Which versions of shiva123456 are malicious?

The following PyPI versions of shiva123456 are flagged malicious: 23.99.0. Treat any of these as compromised.

How do I remediate shiva123456 if I installed it?

shiva123456 is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed shiva123456 — how do I know if it already compromised me?

If shiva123456 was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is shiva123456 part of a known attack campaign?

Yes — shiva123456 is associated with the RLMA-2025-03683, GENERIC-standard-pypi-install-pentest, RLUA-2026-00755 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find shiva123456 across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for shiva123456 (version 23.99.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging shiva123456 across your stack and pipelines.

Malicious package

shiva123456PyPI

Malicious code in shiva123456 (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-6584

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall shiva123456

What this malware does

Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose.

Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.

Campaign: GENERIC-standard-pypi-install-pentest

Reasons (based on the campaign):

The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.
The package overrides the install command in setup.py to execute malicious code during installation.

Malicious versions

1 flagged

23.99.0

Indicators of compromise (SHA-256)

a07ff2c7b9bad4e3fbb35c0fe64fb5418115b42a4147b93e7c613fbfb5eb9f91

7d1de6c5c8a8dc6e88e58efdc753251c06b3d3978c6fd1d8e8f5a1c1620738ec

8dca9366a1d6999b03cd12a09de5dd5a5f7b65201bc392856f8494aaea4d225f

236aa203e10ac293be34416004491708dda6274c9b71df7af1fbf3e0e0903a35

a7a073b834d0908fd251ca6be09830b1755329f48ef033583be9864d4eb6f19d

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for shiva123456 (version 23.99.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging shiva123456 across your stack and pipelines.
If you installed it — respond
shiva123456 is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If shiva123456 was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks shiva123456 before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. shiva123456 on PyPI has been identified as a malicious package (version 23.99.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2025-03683GENERIC-standard-pypi-install-pentestRLUA-2026-00755

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks shiva123456-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring