MALICIOUS (1) campaign cataloged at 2026-04-21(2).

1. The campaign has clearly malicious intent, like infostealers.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2026-04-typelimagic

Clone of a legitimate library. The added code scans system for sensitive files, with the focus on crypto currency wallets, and exfiltrate them. Previous versions included executing remote commands.

Abuse categories

clones_real_package

The package is a clone of a legitimate package or library, but with malicious code added.

crypto-related

Malicious activity is related to cryptocurrencies or blockchain, e.g. stealing crypto wallets.

exfiltration_crypto

The package attempts to steal sensitive cryptocurrency-related data, like wallet keys.

obfuscation

Code uses obfuscation techniques to hide its true purpose.

remote_commands

The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.

Packages in the campaign

campaign:2026-04-typelimagic

• typelimagic