Which versions of syscachelib are malicious?

The following PyPI versions of syscachelib are flagged malicious: 0.1.0. Treat any of these as compromised.

How do I remediate syscachelib if I installed it?

syscachelib is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed syscachelib — how do I know if it already compromised me?

If syscachelib was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is syscachelib part of a known attack campaign?

Yes — syscachelib is associated with the RLMA-2025-03697, 2025-06-syscachelib, RLUA-2026-00793 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find syscachelib across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for syscachelib (version 0.1.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging syscachelib across your stack and pipelines.

Malicious package

syscachelibPyPI

Malicious code in syscachelib (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-6598

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall syscachelib

What this malware does

Importing the module starts a UAC bypass through fodhelper to run a privileged shell, and download and execute a remote file.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-06-syscachelib

Reasons (based on the campaign):

Downloads and executes a remote executable.

Malicious versions

1 flagged

0.1.0

Indicators of compromise (SHA-256)

9439421074301faa201d8a700cc7c6a9b3e3a158c495b3653c518eea4873374e

15f8ac921b946afdd64e282531a4b3facd26e0ab054a2623c06ae45b2427e33b

c8aa87f03342830d082dcfd87dfce0528b19781902f9c9e56a7379046d8a1572

52bff373c7a386ec56b7af2e25df2663e33239505b905f7afba7425da40d1c1b

192b5d9ba2c47356235831260dcb41d5d7191e2ba844b436421e2e92dedb0abd

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for syscachelib (version 0.1.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging syscachelib across your stack and pipelines.
If you installed it — respond
syscachelib is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If syscachelib was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks syscachelib before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. syscachelib on PyPI has been identified as a malicious package (version 0.1.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2025-036972025-06-syscachelibRLUA-2026-00793

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks syscachelib-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring