HIGHLY_SUSPICIOUS (1) campaign cataloged at 2025-04-28(2).

1. Packages that are likely malicious, but due to the obfuscation level, lack of time or clear indicators it's hard to say what exactly they do; the highest risk of false positives.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2025-04-tronix

Package appears to be designed for private key exfiltration, but no known usage. The name appears to be related to the cryptocurrency TRX (Tron / Tronix). Some packages additionally clone the readme of other, legit libraries

Abuse categories

crypto-related

Campaign uses crypto-related.

exfiltration_generic

Campaign uses exfiltration_generic.

References

Referenced resources may include blog posts about the campaign, malware analysis, sandbox reports, or other relevant information.

• https://en.wikipedia.org/wiki/Tron_(blockchain)

IoCs & related URLs

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

• 68076f26e81df7060eba3e58.mockapi.io

• 66c0dc0bba6f27ca9a57c4bf.mockapi.io

• 67b9f37c51192bd378dee810.mockapi.io

Packages in the campaign

campaign:2025-04-tronix

• tronapinet
• trongridlib
• tronix
• tronlib
• tronlibapi
• tronlibpy
• tronlid
• tronlix
• trxone
• trxtwo
• wallettron
• wallettronpy