HIGHLY_SUSPICIOUS (1) campaign cataloged at 2026-05-15(2).

1. Packages that are likely malicious, but due to the obfuscation level, lack of time or clear indicators it's hard to say what exactly they do; the highest risk of false positives.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2026-05-workweaver

The code contains multiple incorrect cryptocurrency addresses among official fee/program/contract addresses. It's difficult to assess if the changes are intentional or results of AI hallucination. The fake addresses are quite similar to the expected official addresses. Using the library could result in invalid transfers or transactions to unintended addresses.

Abuse categories

crypto-related

Malicious activity is related to cryptocurrencies or blockchain, e.g. stealing crypto wallets.

References

Referenced resources may include blog posts about the campaign, malware analysis, sandbox reports, or other relevant information.

• https://inspector.pypi.io/project/workweaver/0.1.3/packages/7b/7a/57c30fb1f7e12723897b13a321535192ee3c37dfc8366d1f9d47d53f77e5/workweaver-0.1.3-py3-none-any.whl/apps/backend/services/mev/jito.py#line.31

Packages in the campaign

campaign:2026-05-workweaver

• workweaver