MALICIOUS (1) campaign cataloged at 2025-12-08(2).

1. The campaign has clearly malicious intent, like infostealers.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2025-12-graphnode

This is a malicious copy of the networkx package. It contains an obfuscated script that downloads and runs further scripts from one of multiple locations, and perform covering tracks by removing the modified code and all references to it. During the analysis, most of remote URLs did not serve any meaningful content, so the final goal is unknown.

Abuse categories

clones_real_package

The package is a clone of a legitimate package or library, but with malicious code added.

obfuscation

Code uses obfuscation techniques to hide its true purpose.

remote_script

Downloads and executes a remote malicious script.

IoCs & related URLs

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

• hxxps://raw.githubusercontent.com/oscaratkins831/CrowdFunding-Smart-Contract-main/refs/heads/main/readme.md

• hxxps://drive.google.com/uc?export=download&id=1JhtoVi6UjdCEa9mT5kHvYxd2UauiccW4

• hxxps://aurevian.cloud/public/startup.py?ver=1.2

• aurevian.cloud

• hxxps://raw.githubusercontent.com/ronniebrooks/node-javascript-ecommerce-main/refs/heads/main/.gitignore

• hxxps://raw.githubusercontent.com/ronniebrooks/node-javascript-ecommerce-main/refs/heads/main/package.json

• hxxps://drive.google.com/uc?export=download&id=1FKQxvZM2zl0pmtf_cIHdjLSVdf-ZlUYR

• hxxps://drive.google.com/uc?export=download&id=1RPC49CCI9urhfoVdPkO3pCSI4Lr430Lx

Packages in the campaign

campaign:2025-12-graphnode

• bignum
• bigpyx
• graphnode
• graphsync