MALICIOUS (1) campaign cataloged at 2025-12-21(2).

1. The campaign has clearly malicious intent, like infostealers.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2025-12-ai-cypher

The compiled native extension hides the code that during import exfiltrates sensitive Telegram files.

Abuse categories

exfiltration_credentials

The package attempts to steal credentials, like passwords or API keys.

native-extension

The suspicious activity is performed in a native module extension

target:telegram

The package is designed to target Telegram users or the Telegram platform.

References

Referenced resources may include blog posts about the campaign, malware analysis, sandbox reports, or other relevant information.

• tria.ge report

Packages in the campaign

campaign:2025-12-ai-cypher

• ai-cypher