Which versions of wallettronpy are malicious?

The following PyPI versions of wallettronpy are flagged malicious: 0.1.0. Treat any of these as compromised.

How do I remediate wallettronpy if I installed it?

wallettronpy is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed wallettronpy — how do I know if it already compromised me?

If wallettronpy was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is wallettronpy part of a known attack campaign?

Yes — wallettronpy is associated with the RLMA-2025-03038, 2025-04-tronix, RLUA-2026-00907 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find wallettronpy across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for wallettronpy (version 0.1.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging wallettronpy across your stack and pipelines.

Malicious package

wallettronpyPyPI

Malicious code in wallettronpy (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-5141

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall wallettronpy

What this malware does

Package appears to be designed for private key exfiltration, but no known usage. The name appears to be related to the cryptocurrency TRX (Tron / Tronix). Some packages additionally clone the readme of other, legit libraries. The similar packages are repeating uploaded to PyPI

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-04-tronix

Reasons (based on the campaign):

exfiltration-generic
crypto-related

Malicious versions

1 flagged

0.1.0

Indicators of compromise (SHA-256)

c007aea3a9bf2e0abf71cbe3f290736a989dde5e63121ed1c7f481257f901f5a

13552d63bb8c1d5083c51042623ddccf2854d888c3f39f1bc1935a09894fb6a1

6232d6f8e03368abc5a38f906502206757571193ce7daf078c26f2e0cd159882

18815805440507b7ab7c33664f9fe11b868d3d4d0f75d44571316f5219221c76

83e05803cb0624ff4da5fe64ad42ec56afe5633bc1931b95c5e651a39895a880

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for wallettronpy (version 0.1.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging wallettronpy across your stack and pipelines.
If you installed it — respond
wallettronpy is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If wallettronpy was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks wallettronpy before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. wallettronpy on PyPI has been identified as a malicious package (version 0.1.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2025-030382025-04-tronixRLUA-2026-00907

References

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks wallettronpy-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring