Which versions of timsingapi are malicious?

The following PyPI versions of timsingapi are flagged malicious: 0.3. Treat any of these as compromised.

How do I remediate timsingapi if I installed it?

timsingapi is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed timsingapi — how do I know if it already compromised me?

If timsingapi was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is timsingapi part of a known attack campaign?

Yes — timsingapi is associated with the RLMA-2025-02600, 2025-05-rblxfando, RLUA-2026-00823 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find timsingapi across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for timsingapi (version 0.3). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging timsingapi across your stack and pipelines.

Malicious package

timsingapiPyPI

Malicious code in timsingapi (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-4242

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall timsingapi

What this malware does

Importing the module starts delayed downloading and starting a remote executable identified as BlankGrabber infostealer.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-05-rblxfando

Reasons (based on the campaign):

infostealer
Downloads and executes a remote executable.
malware
infostealer:blankgrabber

Malicious versions

1 flagged

0.3

Indicators of compromise (SHA-256)

28217162f7a326c1927197ca54fb3d83ffff8aa5198fe64c911e24169c080566

9c018c3cd91da9c7dee933dcc44aa40cf640aac4ba502c344b5f5b18f7c9dc55

1331e7dbd74ec00f13073c6230eee52b13ef3db29c643d09cbf0b81cccf4ad97

c04f0f3152ff4c51c6499f91149f9a13da7f67fe97563094abf38c7b979071bb

1f49f9ecb75329c75d66b4d702687d609e735d7903d4ff92b3bd46f674e295b2

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for timsingapi (version 0.3). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging timsingapi across your stack and pipelines.
If you installed it — respond
timsingapi is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If timsingapi was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks timsingapi before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. timsingapi on PyPI has been identified as a malicious package (version 0.3 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2025-026002025-05-rblxfandoRLUA-2026-00823

References

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks timsingapi-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring