MALICIOUS (1) campaign cataloged at 2026-04-20(2).

1. The campaign has clearly malicious intent, like infostealers.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2026-04-moonbit-locale-compat

Campaign includes a chain of dependencies that finally exfiltrate sensitive environment variables to a hardcoded GitHub repository as exfiltration target, and in specific environments also start a reverse shell. It appears to be targeting specifically one GitHub project, where the front-end package was included in a PR.

Abuse categories

exfiltration_env_variables

Campaign uses exfiltration_env_variables.

revshell

The package contains code to create a reverse shell, allowing an attacker to execute any commands on the victim's machine.

through_dependency

The malicious code is intentionally included in a dependency of the package

References

Referenced resources may include blog posts about the campaign, malware analysis, sandbox reports, or other relevant information.

• https://github.com/zongen01/wechat-editor-studio/pull/2/changes#diff-d9555f91ec2cf16d2b3d23115fe3cf6600fa8b42627de82a81da48191c54d99c

• https://github.com/DiamondFrontline/wechat-editor-studio/commit/3c61484843fbc7fbeb5e81149296aa7843570ee1

Packages in the campaign

campaign:2026-04-moonbit-locale-compat

• moonbit-locale-compat
• moonbit-metrics-validator
• moonbit-schema-utils