Which versions of unclesky5910 are malicious?

The following PyPI versions of unclesky5910 are flagged malicious: 0.1. Treat any of these as compromised.

How do I remediate unclesky5910 if I installed it?

Remove unclesky5910 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

I already installed unclesky5910 — how do I know if it already compromised me?

If unclesky5910 was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is unclesky5910 part of a known attack campaign?

Yes — unclesky5910 is associated with the RLMA-2025-05642, 2025-10-wangzhou183, RLUA-2026-00871 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find unclesky5910 across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for unclesky5910 (version 0.1). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging unclesky5910 across your stack and pipelines.

Malicious package

unclesky5910PyPI

Malicious code in unclesky5910 (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-191664

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall unclesky5910

What this malware does

Package imitates Roblox API wrapper, but the only action is getting the public IP, suggesting it's a security research or malicious attempt

Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.

Campaign: 2025-10-wangzhou183

Reasons (based on the campaign):

The package overrides the install command in setup.py to execute malicious code during installation.

Malicious versions

1 flagged

0.1

Indicators of compromise (SHA-256)

530b45d97a7a44fbf0887d21b7b761f578e7236a343a9e9868cc8428c951049d

279df7621054065e05b0116be173ce0c083d701d6c3ec69b219d3cd0b1aa9922

8a6db403a22b058f1960f850fb70b353baeee04b4fc240846549f33ef355ef31

251836673e2b522d298fdfc213765855be73d61317f0c8855aba54cdd8a32595

Detection & response playbook

Malicious package

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for unclesky5910 (version 0.1). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging unclesky5910 across your stack and pipelines.
If you installed it — respond
Remove unclesky5910 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If unclesky5910 was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks unclesky5910 before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. unclesky5910 on PyPI has been identified as a malicious package (version 0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2025-056422025-10-wangzhou183RLUA-2026-00871

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks unclesky5910-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring