MALICIOUS (1) campaign cataloged at 2026-01-16(2).

1. The campaign has clearly malicious intent, like infostealers.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2026-01-uitil

The package implements an undocumented way to execute code hidden in image files, and a function that searches for images in the current directory and attempts to execute the code.

It's used in the GitHub repository https://github.com/OR-6/PassCheck/blob/main/main.py#L190 to silently execute the command hidden in the image https://github.com/OR-6/PassCheck/blob/b09b3f1ec5d7345c614b1d956840ee2774f7131b/demo.png when the user interacts with the repository code. The decrypted command attempted to download and execute code from hxxps://or-6.github[.]io, which at the time of analysis didn't host any code.

Abuse categories

action-hidden-in-lib-usage

The malicious action is hidden in the code and starts when user interacts with it (e.g. during class initialization or by exfiltrating given credentials).

remote_commands

The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.

steganography

Campaign uses steganography.

through_dependency

The malicious code is intentionally included in a dependency of the package

typosquatting

The package name is an typosquatting variant of a popular package.

References

Referenced resources may include blog posts about the campaign, malware analysis, sandbox reports, or other relevant information.

• https://github.com/OR-6/PassCheck/blob/main/main.py#L190

• https://github.com/OR-6/PassCheck/blob/b09b3f1ec5d7345c614b1d956840ee2774f7131b/demo.png

IoCs & related URLs

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

• hxxps://github.com/OR-6/PassCheck/

• hxxps://or-6.github.io

• or-6.github.io

Packages in the campaign

campaign:2026-01-uitil

• uitil