MALICIOUS (1) campaign cataloged at 2025-08-20(2).

1. The campaign has clearly malicious intent, like infostealers.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2025-08-cffi-curl

Malicious clone of a legitimate package "curl-cffi". When importing the module, it runs an obfuscated PowerShell command

Abuse categories

clones_real_package

The package is a clone of a legitimate package or library, but with malicious code added.

malware

Package contains or installs known malware.

obfuscation

Code uses obfuscation techniques to hide its true purpose.

typosquatting

The package name is an typosquatting variant of a popular package.

Packages in the campaign

campaign:2025-08-cffi-curl

• cffi-curl