HIGHLY_SUSPICIOUS (1) campaign cataloged at 2026-06-23(2).

1. Packages that are likely malicious, but due to the obfuscation level, lack of time or clear indicators it's hard to say what exactly they do; the highest risk of false positives.
2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2026-06-ur7

The embeded native module seems to be a loader to execute code hosted on free 42web[.]io hosting.

Abuse categories

native-extension

The suspicious activity is performed in a native module extension

remote_executable

Downloads and executes a remote executable.

Packages in the campaign

campaign:2026-06-ur7

• ur7