Skip to content

HIGHLY_SUSPICIOUS (1) campaign cataloged at 2025-01-09(2).

  1. Packages that are likely malicious, but due to the obfuscation level, lack of time or clear indicators it's hard to say what exactly they do; the highest risk of false positives.
  2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2025-01-uniapi

When importing, the code runs a separated thread that silently downloads and runs a remote script. The content of the remote script collects username and current directory, at the time of check. This looks to be introduced in 1.0.7, so maybe the intention wasn't entirely malicious, but this kind of behaviour is dangerous and clearly intended to be hidden from the user.

Abuse categories

basic_exfiltration

The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.

remote_script

Downloads and executes a remote malicious script.

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

  • irapi.inruan.com

Packages in the campaign

campaign:2025-01-uniapi