MALICIOUS (1) campaign cataloged at 2026-01-05(2).
- The campaign has clearly malicious intent, like infostealers.
- This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.
2026-01-gztensor-cli¶
Package clones a legitimate library and adds a hidden code that downloads a malicious script. The script then downloads an archive with malicious executable in the version appropriate to the system architecture, and ensures persistency by adding automatically started service entries. The remote code is a Go-based inforstealer and backdoor previously attributed to Northkorean cybercrime activities. In this campaign, the malicious code may not be immediately introduced in the typosquatted package, but added with an update.
Abuse categories¶
action-hidden-in-lib-usage
The malicious action is hidden in the code and starts when user interacts with it (e.g. during class initialization or by exfiltrating given credentials).
backdoor
Campaign uses backdoor.
clones_real_package
The package is a clone of a legitimate package or library, but with malicious code added.
crypto-related
Malicious activity is related to cryptocurrencies or blockchain, e.g. stealing crypto wallets.
infostealer
Activity is typical for information stealers, i.e. by exfiltrate various sensitive data from the victim's environment.
obfuscation
Code uses obfuscation techniques to hide its true purpose.
peristence_autorun
Campaign uses peristence_autorun.
remote_executable
Downloads and executes a remote executable.
typosquatting
The package name is an typosquatting variant of a popular package.
References¶
Referenced resources may include blog posts about the campaign, malware analysis, sandbox reports, or other relevant information.
IoCs & related URLs¶
URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.
-
hxxps://bitensor.xyz/realtek.sh -
bitensor.xyz -
cameradriver.pro -
23.227.203.99:8080 -
23.227.203.99