HIGHLY_SUSPICIOUS (1) campaign cataloged at 2025-10-15(2).

1. Packages that are likely malicious, but due to the obfuscation level, lack of time or clear indicators it's hard to say what exactly they do; the highest risk of false positives.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2025-10-starexx

The package seems to be hiding the potentially malicious possibility to download and execute remote code from a pre-defined host, but requires a specific key to do so. The relevant Github repository seems to host only versions without the remote code execution.

Abuse categories

remote_script

Downloads and executes a remote malicious script.

IoCs & related URLs

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

• starexxx.vercel.app

Packages in the campaign

campaign:2025-10-starexx

• starexx