MALICIOUS (1) campaign cataloged at 2025-07-06(2).
- The campaign has clearly malicious intent, like infostealers.
- This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.
2025-07-cloudscrapersafe¶
During processing the user requests, the package looks for URLs related to checkouts using services: - credomatic.compassmerchantsolutions.com - checkout.baccredomatic.com and exfiltrates given credit card numbers, verification codes etc. Interestingly, it checks even 3DS responses.
Clone of the legitimate "cloudscraper" package.
Abuse categories¶
action-hidden-in-lib-usage
The malicious action is hidden in the code and starts when user interacts with it (e.g. during class initialization or by exfiltrating given credentials).
clones_real_package
The package is a clone of a legitimate package or library, but with malicious code added.
exfiltration_generic
Campaign uses exfiltration_generic.