HIGHLY_SUSPICIOUS (1) campaign cataloged at 2026-04-30(2).

1. Packages that are likely malicious, but due to the obfuscation level, lack of time or clear indicators it's hard to say what exactly they do; the highest risk of false positives.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2026-04-funkratov

Packages are very likely used to exfiltrate files or env variables, but given available data, it was impossible to confirm the malicious intention. The probable scenario is being dependency of a malicious project.

Related malicious campaign: 2026-04-renderctx

Abuse categories

exfiltration_env_variables

Campaign uses exfiltration_env_variables.

files_exfiltration

Campaign uses files_exfiltration.

IoCs & related URLs

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

• renderkit1.vercel.app

• ctx-graphics.vercel.app

Packages in the campaign

campaign:2026-04-funkratov

• chalk-fancy
• funkratov-renderkit
• renderkitcore