Which versions of youreallydontwantthispackage2131 are malicious?

The following PyPI versions of youreallydontwantthispackage2131 are flagged malicious: 1, 1.0.1. Treat any of these as compromised.

How do I remediate youreallydontwantthispackage2131 if I installed it?

youreallydontwantthispackage2131 is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed youreallydontwantthispackage2131 — how do I know if it already compromised me?

If youreallydontwantthispackage2131 was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is youreallydontwantthispackage2131 part of a known attack campaign?

Yes — youreallydontwantthispackage2131 is associated with the 2024-10-gal32fjdsbf89hnd-gcp-token campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find youreallydontwantthispackage2131 across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for youreallydontwantthispackage2131 (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging youreallydontwantthispackage2131 across your stack and pipelines.

Malicious package

youreallydontwantthispackage2131PyPI

Malicious code in youreallydontwantthispackage2131 (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2024-10241

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall youreallydontwantthispackage2131

What this malware does

Installing the package attempts to exfiltrate GCP tokens. As it uses a random names and/or targets specific accounts, it's most probably a (pen)test.

Category: PROBABLY_PENTEST - Packages looking like typical pentest packages, but also anything that looks like testing, exploring pre-prepared kits, research & co, with clearly low-harm possibilities.

Campaign: 2024-10-gal32fjdsbf89hnd-gcp-token

Reasons (based on the campaign):

exfiltration-cloud-tokens

The OpenSSF Package Analysis project identified 'youreallydontwantthispackage2131' @ 1.0.1 (pypi) as malicious.

It is considered malicious because:

The package communicates with a domain associated with malicious activity.
The package executes one or more commands associated with malicious behavior.

Malicious versions

2 flagged

11.0.1

Indicators of compromise (SHA-256)

287818178d5bd4e83a85547242db772b2e39cbcc17038f0a01da63f787d510b9

fd68729e22ccdbb007d2100a3623bff161349d465e0786824c041e034e1c78e1

59a625d21a28cbccdc17039b309f3ff2765e7b424c297645f576bd457e8a7a56

8bca93b1825c930118e85cc054305e6aef120080f8cc68233467eb6ee7b3ff1d

b32a46c1e994df774a402331725f1ba097b17029b1e907e2964de4cade1e2e55

d5e8a06e22e50b9446f618d3cdea0e5f02230dbeb763de8a045b09266cd82632

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for youreallydontwantthispackage2131 (2 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging youreallydontwantthispackage2131 across your stack and pipelines.
If you installed it — respond
youreallydontwantthispackage2131 is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If youreallydontwantthispackage2131 was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks youreallydontwantthispackage2131 before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. youreallydontwantthispackage2131 on PyPI has been identified as a malicious package (versions 1, 1.0.1 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

2024-10-gal32fjdsbf89hnd-gcp-token

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193)
OpenSSF: Package Analysis · finder

Detect & block this

O3 blocks youreallydontwantthispackage2131-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring