Which versions of web3dummycti are malicious?

The following PyPI versions of web3dummycti are flagged malicious: 0.1.0. Treat any of these as compromised.

How do I remediate web3dummycti if I installed it?

web3dummycti is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed web3dummycti — how do I know if it already compromised me?

If web3dummycti was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is web3dummycti part of a known attack campaign?

Yes — web3dummycti is associated with the 2025-07-web3dummycti campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find web3dummycti across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for web3dummycti (version 0.1.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging web3dummycti across your stack and pipelines.

Malicious package

web3dummyctiPyPI

Malicious code in web3dummycti (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-191928

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall web3dummycti

What this malware does

If the method from the module is called, it attempts to download a malicious code (identified as msf payload) and save it locally. In the analysed version, the code starting the malicious code was commented out.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-07-web3dummycti

Reasons (based on the campaign):

The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine.
action-hidden-in-lib-usage
Downloads and executes a remote malicious script.

Malicious versions

1 flagged

0.1.0

Indicators of compromise (SHA-256)

2ce645d75544487ba7683025086854e1bdb29b598cb662529dde8e7777a15510

9a702a53b1f08d4ee8e06e9dc19f6c942ee7bd755274f898a2ff737796557316

9586a86d70ea43ad17d9e58d3e35fb0b7b74791461a20e16fcafea2d66d2cd45

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for web3dummycti (version 0.1.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging web3dummycti across your stack and pipelines.
If you installed it — respond
web3dummycti is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If web3dummycti was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks web3dummycti before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. web3dummycti on PyPI has been identified as a malicious package (version 0.1.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

2025-07-web3dummycti

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193)

Detect & block this

O3 blocks web3dummycti-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring