Skip to content

HIGHLY_SUSPICIOUS (1) campaign cataloged at 2026-07-17(2).

  1. Packages that are likely malicious, but due to the obfuscation level, lack of time or clear indicators it's hard to say what exactly they do; the highest risk of false positives.
  2. This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.

2026-07-andreiiiiiii_i

Package presents little functionality, but excessive 'telemetry' module that can be used to exfiltrate basic information. However, the exfiltration target is not given: despite implementing multiple ways to retrieve it, e.g. from DNS records, the code lacks the initial value required to discover the C2. It can be provided via environment variables. Given little functionality and multiple similar packages, the file is likely a preparation for a malicious campaign, but there is no enough information.

Abuse categories

abuses-pth

The package uses .pth files, sitecustomize or usercustomize modules to execute malicious code during Python startup, even without importing the package code manually.

basic_exfiltration

The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk.

override_install

The package overrides the install command in setup.py to execute malicious code during installation.

Packages in the campaign

campaign:2026-07-andreiiiiiii_i