MALICIOUS (1) campaign cataloged at 2026-03-20(2).

1. The campaign has clearly malicious intent, like infostealers.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2026-03-geekennedy

These packages are used as build dependencies of malicious packages in newer waves of the campaign 2026-02-urllib-slim. They are used to split the malicious action between dependencies and are not malicious alone, but are used together to: exfiltrate information through DNS, collect information about the processes and covering tracks by installing packages from local private repositories.

Package nspack additionally notifies upon importing a domain known for malicious activity with the package and hostname.

Abuse categories

basic_exfiltration

The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.

through_dependency

The malicious code is intentionally included in a dependency of the package

IoCs & related URLs

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

• 1r.vc

• gcloudns.net

Packages in the campaign

campaign:2026-03-geekennedy

• gcpipwrap
• indpack
• nspack
• reqpack
• tui-ascii-art