Which versions of utilitypyfunc are malicious?

The following PyPI versions of utilitypyfunc are flagged malicious: 0.1.0, 0.3.0, 0.4.0, 0.5.0. Treat any of these as compromised.

How do I remediate utilitypyfunc if I installed it?

utilitypyfunc is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed utilitypyfunc — how do I know if it already compromised me?

If utilitypyfunc was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is utilitypyfunc part of a known attack campaign?

Yes — utilitypyfunc is associated with the RLMA-2025-00540, 2024-12-utilitypyfunc, RLUA-2026-00880 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find utilitypyfunc across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for utilitypyfunc (4 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging utilitypyfunc across your stack and pipelines.

Malicious package

utilitypyfuncPyPI

Malicious code in utilitypyfunc (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-999

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall utilitypyfunc

What this malware does

Importing the package starts the thread that gets and executes code from the remote server. The package description suggests a rather spam than malicious intentions.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2024-12-utilitypyfunc

Reasons (based on the campaign):

The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.

Malicious versions

4 flagged

0.1.00.3.00.4.00.5.0

Indicators of compromise (SHA-256)

5c786b4ce5bf307c25e235c32f74228e5646de611321a40769c54ad2898b9bee

4503890a38a516040cbfd9f29a48ca5a8447c1609931303d2a0680ca50d950b7

2aaf64ae76493cf55c8b9e418bc3408f9e309b5c6a590a2ad528beb5ae8dbcc0

07b7c89d3feab6954ed0dc393cb14d5736baeaf3acf4ce79d42cff2cdaab48c5

f5b638434718ba496f959552b756ae67c4b57b48d32d54c22170ca51aa52c341

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for utilitypyfunc (4 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging utilitypyfunc across your stack and pipelines.
If you installed it — respond
utilitypyfunc is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If utilitypyfunc was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks utilitypyfunc before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. utilitypyfunc on PyPI has been identified as a malicious package (versions 0.1.0, 0.3.0, 0.4.0, 0.5.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2025-005402024-12-utilitypyfuncRLUA-2026-00880

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks utilitypyfunc-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring