Which versions of sklern are malicious?

The following PyPI versions of sklern are flagged malicious: 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.0.10, 0.0.11. Treat any of these as compromised.

How do I remediate sklern if I installed it?

sklern is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed sklern — how do I know if it already compromised me?

If sklern was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is sklern part of a known attack campaign?

Yes — sklern is associated with the IN-MAL-2026-004166, IN-MAL-2026-004167, IN-MAL-2026-004760, IN-MAL-2026-004168, IN-MAL-2026-004759, IN-MAL-2026-004761 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find sklern across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for sklern (6 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging sklern across your stack and pipelines.

Malicious package

sklernPyPI

Malicious code in sklern (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-4768

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall sklern

What this malware does

Package name 'sklern' is a one-character deletion from the top-tier ML package 'sklearn', and its public API (linear_regression, logistic_regression, decision_tree, perceptron, mlp, etc.) mimics sklearn's surface but the functions do not implement ML — they print code strings. On import sklern, src/sklern/init.py loads src/sklern/ai_helper.py, which at module top level instantiates a Groq client with a hardcoded API key (Groq(api_key="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")). The exported get1(prompt) function — re-exported in __all__ — sends the caller's prompt to api.groq.com using that hardcoded key, with no mechanism for the caller to override the destination or credential. PKG-INFO description is the placeholder 'Example PyPI package' and README references 'sample_package'. A developer who mistypes 'sklearn' as 'sklern' installs a package that (a) does not provide the ML functionality its API names suggest, (b) ships a live third-party credential that any installer can extract and abuse against api.groq.com, and (c) silently relays caller-supplied prompt data through the author's Groq account where it may be logged. The combination of name-confusion attack + credential distribution + silent-relay of caller data is the typosquat-with-payload pattern.

Malicious versions

6 flagged

0.0.60.0.70.0.80.0.90.0.100.0.11

Indicators of compromise (SHA-256)

1495d93dccc77a422f70d192ef4d8dcd53b0c990fff43e68bc2a0eca301e5d10

b92ed7e6820e49af81e0cfc8873e8c9875f9a4e1bdb8c97db4c70c0962fc74d0

c69087b215e403f9377c077a40672735f28a9ad3263ae3937be85f88c7293ca2

c833fe81e9829c9ef98f27c825af436fe8bd0df2338d8bc48c4fb683479f6f7b

ee98b309bf1049c64bacb2e0102b63332363b65ba0f866d54e414e57ed4a285a

b5c9a1e82eeefa132146962cd0000f7b4f4865551d56e7839b15410160f2f36c

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for sklern (6 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging sklern across your stack and pipelines.
If you installed it — respond
sklern is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If sklern was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks sklern before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. sklern on PyPI has been identified as a malicious package (versions 0.0.6, 0.0.7, 0.0.8, 0.0.9, 0.0.10, 0.0.11 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-004166IN-MAL-2026-004167IN-MAL-2026-004760IN-MAL-2026-004168IN-MAL-2026-004759IN-MAL-2026-004761

References

Credits

Amazon Inspector · finder

Detect & block this

O3 blocks sklern-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring