What does the whee11 malware do?

Package uses the template from https://github.com/thegoodhackertv/malpip to explore building malicious PyPI packages. Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: SCRIPT_KIDDIE-thegoodhacker-paquete Reasons (based on the campaign): - The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk. - The package overrides the install command in setup.py to execute malicious code during installation. - Package uses simple pre-prepared tools to create a low-quality malicious action.

Which versions of whee11 are malicious?

The following PyPI versions of whee11 are flagged malicious: 1.0.0. Treat any of these as compromised.

How do I remediate whee11 if I installed it?

whee11 is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed whee11 — how do I know if it already compromised me?

If whee11 was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is whee11 part of a known attack campaign?

Yes — whee11 is associated with the RLMA-2025-03040, SCRIPT_KIDDIE-thegoodhacker-paquete, RLUA-2026-00928 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find whee11 across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for whee11 (version 1.0.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging whee11 across your stack and pipelines.

Malicious package

whee11PyPI

Malicious code in whee11 (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-5143

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall whee11

What this malware does

Package uses the template from https://github.com/thegoodhackertv/malpip to explore building malicious PyPI packages.

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: SCRIPT_KIDDIE-thegoodhacker-paquete

Reasons (based on the campaign):

The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.
The package overrides the install command in setup.py to execute malicious code during installation.
Package uses simple pre-prepared tools to create a low-quality malicious action.

Malicious versions

1 flagged

1.0.0

Indicators of compromise (SHA-256)

b41cfa658eda0befbb644530dfffada20da10e52e649b184e462d312d3ab316a

acc2492c1f8029216a92b63ac4a782b12549b146235d3254d0ae02683ecb8496

457eb762160a23e220ee51c7d26f0b143c534243c23027ae0ae39be72af55cdb

bb72b1a1db44613bdf9e91f104837877588f56985e603f8c6abf8b9b0ed9eb32

21a72b4d9133161f6ff55c7f33cc231c8555379fc1b90722653546e99494825e

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for whee11 (version 1.0.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging whee11 across your stack and pipelines.
If you installed it — respond
whee11 is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If whee11 was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks whee11 before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. whee11 on PyPI has been identified as a malicious package (version 1.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2025-03040SCRIPT_KIDDIE-thegoodhacker-paqueteRLUA-2026-00928

References

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks whee11-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring