Which versions of zhopaorlaaato are malicious?

The following PyPI versions of zhopaorlaaato are flagged malicious: 1.2.0. Treat any of these as compromised.

How do I remediate zhopaorlaaato if I installed it?

zhopaorlaaato is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.

I already installed zhopaorlaaato — how do I know if it already compromised me?

If zhopaorlaaato was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is zhopaorlaaato part of a known attack campaign?

Yes — zhopaorlaaato is associated with the RLMA-2025-04300, 2025-08-dsidelib, RLUA-2026-00949 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find zhopaorlaaato across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for zhopaorlaaato (version 1.2.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging zhopaorlaaato across your stack and pipelines.

Malicious package

zhopaorlaaatoPyPI

Malicious code in zhopaorlaaato (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2025-41802

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall zhopaorlaaato

What this malware does

Package is runs an Infostealer targeting telegram and Discord credentials. Depending on version, the infostealer is either downloaded from an URL or embedded in the package

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2025-08-dsidelib

Reasons (based on the campaign):

infostealer
Downloads and executes a remote malicious script.
exfiltration-browser-data
target:telegram

Malicious versions

1 flagged

1.2.0

Indicators of compromise (SHA-256)

5676ea4121bb59b7334e4e90710e2399121e78e55a3bf028e42466affe7c0fa3

d1edd910aa9ddccf5b6b7ddb9d5e2c801b0fce53846b4ad36b367ebb8f383240

45a24b1a49c10f50578e74364357b8de8d31ee62b997c0db957bc0474c841fd7

eaf516a23720109e10f2c833ac73ff3589c475a78da6aa6edb27a2c8d0fcafae

cadfd86ade22a8d4ed9b3f64849d2209805cf558da9dd28cd93fa34beca44872

Detection & response playbook

Credential / info stealer

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for zhopaorlaaato (version 1.2.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging zhopaorlaaato across your stack and pipelines.
If you installed it — respond
zhopaorlaaato is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If zhopaorlaaato was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks zhopaorlaaato before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. zhopaorlaaato on PyPI has been identified as a malicious package (version 1.2.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2025-043002025-08-dsidelibRLUA-2026-00949

References

bad-packages.kam193.eu

Credits

Kamil Mańkowski (kam193)
ReversingLabs · finder

Detect & block this

O3 blocks zhopaorlaaato-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.

Malware detection Runtime egress monitoring