MALICIOUS (1) campaign cataloged at 2026-04-25(2).

1. The campaign has clearly malicious intent, like infostealers.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2026-04-promptflow-runtime

During import, package collects basic information about the system, performs deep fingerprinting, and reports the data to the remote target. The package description attempts to build a false impression that it's an official package.

Abuse categories

basic_exfiltration

The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.

dependency-confusion

An attempt to exploit dependency confusion

impersonation

Campaign uses impersonation.

sandbox-detection

The package contains code to detect if it is running in a sandbox environment.

IoCs & related URLs

URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.

• ttder9qf90.execute-api.us-east-1.amazonaws.com

Packages in the campaign

campaign:2026-04-promptflow-runtime

• ort-moe
• promptflow-runtime