HIGHLY_SUSPICIOUS (1) campaign cataloged at 2025-05-22(2).

1. Packages that are likely malicious, but due to the obfuscation level, lack of time or clear indicators it's hard to say what exactly they do; the highest risk of false positives.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2025-05-invoke-agent

Under some conditions, a requested web request is not being made locally, but routed through an external worker (including all eventual credentials). This happens only when the auth_code ends with "::i". Hard to say if it is malicious or not

Abuse categories

action-hidden-in-lib-usage

Campaign uses action-hidden-in-lib-usage.

IoCs & related URLs

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

• wandering-tooth.cooper-c79.workers.dev

Packages in the campaign

campaign:2025-05-invoke-agent

• invoke-agent