Which versions of swampo are malicious?

The following PyPI versions of swampo are flagged malicious: 1.2.9, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.4.0, 1.4.1, 1.4.2, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.6, 1.5.7, 1.5.8, 1.7.0, 1.7.1. Treat any of these as compromised.

How do I remediate swampo if I installed it?

swampo is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed swampo — how do I know if it already compromised me?

If swampo was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is swampo part of a known attack campaign?

Yes — swampo is associated with the 2026-04-swampo campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find swampo across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for swampo (20 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging swampo across your stack and pipelines.

Malicious package

swampoPyPI

Malicious code in swampo (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2026-3031

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall swampo

What this malware does

Multi-stage dropper. The "analytics" functionality fetches fake updates information that should contain the next URL. From it, a yet another URL is downloaded, and then used to perform TXT DNS queries holding the encoded next URL. From this URL, a remote script is fetched and executed. During analysis, retrieving the final payload was not successful.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-04-swampo

Reasons (based on the campaign):

Downloads and executes a remote malicious script.
action-hidden-in-lib-usage

Malicious versions

20 flagged

1.2.91.3.41.3.51.3.61.3.71.3.81.3.91.4.01.4.11.4.21.5.01.5.11.5.21.5.31.5.41.5.61.5.71.5.81.7.01.7.1

Indicators of compromise (SHA-256)

7b8e193e75e6ca7d387f21b53c251e6ee8791d9ec4ca3f37099e765415d36157

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for swampo (20 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging swampo across your stack and pipelines.
If you installed it — respond
swampo is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If swampo was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks swampo before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. swampo on PyPI has been identified as a malicious package (versions 1.2.9, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.4.0, and 12 more flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

2026-04-swampo

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193) · reporter

Detect & block this

O3 blocks swampo-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring