Skip to content

HIGHLY_SUSPICIOUS (1) campaign cataloged at 2025-12-26(2).

  1. Packages that are likely malicious, but due to the obfuscation level, lack of time or clear indicators it's hard to say what exactly they do; the highest risk of false positives.
  2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2025-12-google-api-canary-service

The "metric collection" feature is responsible for exfiltrating basic system data and information from specific SQL tables as well as specific files to a predefined location. While it is suspicious, the package also expects quite specific config information to be available in the environment, which makes it difficult to understand the intention

Abuse categories

exfiltration_generic

Campaign uses exfiltration_generic.

files_exfiltration

Campaign uses files_exfiltration.

Packages in the campaign

campaign:2025-12-google-api-canary-service