MALICIOUS (1) campaign cataloged at 2026-04-08(2).

1. The campaign has clearly malicious intent, like infostealers.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2026-04-kraken-trader

The package is a loader of malicious code disguised as remote "credits" code. The remote location, built from the parts in the code, delivers highly obfuscated JavaScript code that could be executed by the node.js runner embeded in the package. While all parts are in the package, it lacks the triggering code. As per Socket.dev attribution, it's a dependency used in North Korean fake interviews campaign.

Abuse categories

crypto-related

Malicious activity is related to cryptocurrencies or blockchain, e.g. stealing crypto wallets.

remote_script

Downloads and executes a remote malicious script.

References

Referenced resources may include blog posts about the campaign, malware analysis, sandbox reports, or other relevant information.

• https://socket.dev/pypi/package/kraken-trader/overview/1.0.1

IoCs & related URLs

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

• hxxps://bet.slotgambit.com/icons/112

• bet.slotgambit.com

Packages in the campaign

campaign:2026-04-kraken-trader

• kraken-trader