HIGHLY_SUSPICIOUS (1) campaign cataloged at 2025-06-10(2).

1. Packages that are likely malicious, but due to the obfuscation level, lack of time or clear indicators it's hard to say what exactly they do; the highest risk of false positives.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2025-06-akamai-packages

Very suspicious packages, looking like an attempt to impersonate Akamai. During import, there is a call to canary token URL, but no other visible malicious activity. They contain some small helpers that can be useful, but do not look like a normal SDK.

Packages were created by a different account than any previous official Akamai packages (e.g. https://pypi.org/project/edgegrid-python/) and the corresponding GitHub account (https://github.com/akamai-packages) although it claims to be the official one, is 1) user not an org, 2) different from the Akamai organisation hosting previous Akamai repositories (https://github.com/akamai)

Abuse categories

impersonation

Campaign uses impersonation.

other

Campaign uses other.

typosquatting

Campaign uses typosquatting.

IoCs & related URLs

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

• hxxp://fe3d100797da.o3n.io/files/gmi7hhdoknwhu9zojf3j9xzkc/doc.gif

Packages in the campaign

campaign:2025-06-akamai-packages

• akamai-api
• akamai-papi
• akamaisdk