HIGHLY_SUSPICIOUS (1) campaign cataloged at 2025-08-07(2).
- Packages that are likely malicious, but due to the obfuscation level, lack of time or clear indicators it's hard to say what exactly they do; the highest risk of false positives.
- This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.
2025-08-ai-mesh-sdk¶
Package references "AI Mesh Platform" but it's difficult to identify such a service (there is nothing that use exactly that name). It uses a cloudfront domain as a backend service and does not have proper author's email or repository URL, although it's said to be MIT-licensed.
The package looks like an attempt to collect credentials to a platform, but it's impossible to identify the targeted service or to conclude that it's a legit SDK.
Abuse categories¶
IoCs & related URLs¶
URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.
-
f6a97ab0c30b.ngrok-free.app -
d2rg0qhl0argzt.cloudfront.net