HIGHLY_SUSPICIOUS (1) campaign cataloged at 2026-02-26(2).

1. Packages that are likely malicious, but due to the obfuscation level, lack of time or clear indicators it's hard to say what exactly they do; the highest risk of false positives.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2026-02-purpleflea

Package to use the API of Purpleflea.com, a very suspicious financial service for LLM agents, offering high-risk services like gambling, using only cryptocurrencies as the payment method. At the time of analysis, the domain was 6 days old. The service profile matches emerging threats targeting LLM agents, but it's not clear if there is anything malicious, or it's just a high-risk service.

Abuse categories

crypto-related

Malicious activity is related to cryptocurrencies or blockchain, e.g. stealing crypto wallets.

llm-threat

Malicious activity is designed against large language models, like e.g. prompt injection.

other

Campaign uses other.

IoCs & related URLs

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

• purpleflea.com

• api.purpleflea.com

Packages in the campaign

campaign:2026-02-purpleflea

• purpleflea