Which versions of syscontrol are malicious?

The following PyPI versions of syscontrol are flagged malicious: 0.1, 0.2. Treat any of these as compromised.

How do I remediate syscontrol if I installed it?

syscontrol is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed syscontrol — how do I know if it already compromised me?

If syscontrol was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is syscontrol part of a known attack campaign?

Yes — syscontrol is associated with the RLMA-2025-00531, 2024-12-syscontrol, RLUA-2026-00795 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find syscontrol across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for syscontrol (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging syscontrol across your stack and pipelines.

Malicious package

syscontrolPyPI

Malicious code in syscontrol (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-990

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall syscontrol

What this malware does

Importing the module starts downloading and executing an Infostealer targeting browsers' and Discord data

In first packages, there was a hidden line triggering downloading and running an infostealer

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2024-12-syscontrol

Reasons (based on the campaign):

infostealer
obfuscation
action-hidden-in-lib-usage
infostealer:kiwi
exfiltration-browser-data
exfiltration-crypto

Malicious versions

2 flagged

0.10.2

Indicators of compromise (SHA-256)

27570a0efd1a7cfc96c9c28cb88f8b2393e85e7eb7601d0e6a13ec3984b78095

ee3e0afcea3a13e14ccba83443d7ea1d4ec77794217c6744481bea3cf29230fb

2c413668a48a55dfe9f01e94c01fcfa37b26660436d8281a4075884b1cadd06e

dfd9a3d3868c43920706b9424118e9c6ceccfeb4cb582bd292a7bc7568a8eb73

b870482d1b0c068306546f6e411e481033ec68559e692f5b68f70888153a7518

5bfac0bea43a4ff1e2ccb3d175480629af7495bb5274bafe5c8c2acf9b65dfbf

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for syscontrol (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging syscontrol across your stack and pipelines.
If you installed it — respond
syscontrol is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If syscontrol was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks syscontrol before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. syscontrol on PyPI has been identified as a malicious package (versions 0.1, 0.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2025-005312024-12-syscontrolRLUA-2026-00795

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks syscontrol-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring