What does the vtk-osmesa malware do?

During the installation, sensitive information are exfiltrated (incl. env variables) Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2025-07-vtk-osmesa Reasons (based on the campaign): - exfiltration-env-variables - The package overrides the install command in setup.py to execute malicious code during installation. - The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk. The OpenSSF Package Analysis project identified 'vtk-osmesa' @ 900.548.735 (pypi) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. -

How do I remediate vtk-osmesa if I installed it?

vtk-osmesa is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed vtk-osmesa — how do I know if it already compromised me?

If vtk-osmesa was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is vtk-osmesa part of a known attack campaign?

Yes — vtk-osmesa is associated with the 2025-07-vtk-osmesa campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find vtk-osmesa across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for vtk-osmesa (16 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging vtk-osmesa across your stack and pipelines.

Malicious package

vtk-osmesaPyPI

Malicious code in vtk-osmesa (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-5847

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall vtk-osmesa

What this malware does

During the installation, sensitive information are exfiltrated (incl. env variables)

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-07-vtk-osmesa

Reasons (based on the campaign):

exfiltration-env-variables
The package overrides the install command in setup.py to execute malicious code during installation.
The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.

The OpenSSF Package Analysis project identified 'vtk-osmesa' @ 900.548.735 (pypi) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.
The package executes one or more commands associated with malicious behavior.

Malicious versions

16 flagged

0.0.79.0.1900.548.725900.548.726900.548.731900.548.733900.548.734900.548.735900.548.736900.548.739900.548.742900.548.744900.548.746900.548.747900.548.751900.548.752

Indicators of compromise (SHA-256)

c7551fe96e5c82f2d015f2192ef59cb289a105d8549b9d18285d3fd33e7f1bf4

fbfa8dae1a6eed56bd9367ae529bbf25fac65af65e367d222b02b701c149210e

61c30b8c639fc2130b0d95047bc880aa792747c9ea7bf54dcd2a36e1d3019739

8309b0e4c8f1581d8b20bb4f161e856c87d46e367861eb44153b074406b1d2fe

4751cac9deec1e341e0e7e761dfd8ea8c89830a61df5fd58841e242de8c0eb33

ae51c0b2d806da87b9849d348545680dd2510318e9158cfeec9e03f2735e09f6

4402cf1d7c9b050e1bba2b0ae07a4e73c7ba0255ee7b4cb05f9bf540055ee018

910e787804512eabe1c118f5347fed9f57ca936717e18a80d26622108d75399e

db413462206456c3d72b71effefb95ecbc50f84bba26ca3600c6592f9268db61

eb6b8a31b588385619a873ad0f75aadd35512e39b211404042970b917230644f

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for vtk-osmesa (16 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging vtk-osmesa across your stack and pipelines.
If you installed it — respond
vtk-osmesa is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If vtk-osmesa was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks vtk-osmesa before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. vtk-osmesa on PyPI has been identified as a malicious package (versions 0.0.7, 9.0.1, 900.548.725, 900.548.726, 900.548.731, 900.548.733, 900.548.734, 900.548.735, and 8 more flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

2025-07-vtk-osmesa

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193)
OpenSSF: Package Analysis · finder

Detect & block this

O3 blocks vtk-osmesa-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring