MALICIOUS (1) campaign cataloged at 2026-07-12(2).
- The campaign has clearly malicious intent, like infostealers.
- This is just the date of creating the catalog entry. It may not reflect the date of creation of the campaign itself.
2026-07-metemask-sdk¶
During import, the code downloads and executes a remote script. The script collects sensitive files, including cryptocurrency wallet private keys and seeds, SSH keys, dotenv files and uploads them to IPFS. After that, it communicates with C2 and awaits further commands to execute.
Abuse categories¶
crypto-related
Malicious activity is related to cryptocurrencies or blockchain, e.g. stealing crypto wallets.
exfiltration_crypto
The package attempts to steal sensitive cryptocurrency-related data, like wallet keys.
exfiltration_ssh_keys
Campaign uses exfiltration_ssh_keys.
files_exfiltration
Campaign uses files_exfiltration.
remote_commands
The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.
remote_script
Downloads and executes a remote malicious script.
typosquatting
The package name is an typosquatting variant of a popular package.
uses:IPFS
Campaign uses uses:IPFS.
IoCs & related URLs¶
URLs with payloads, characteristic domains, C&C IPs, repositories with malicious code, etc.
-
hxxp://107.161.90.180:7778 -
107.161.90.180 -
hxxps://gateway.pinata.cloud/ipfs/QmP2RrfNCNabLzPYncMGgFwAmttDafczpJLS8oxvQRBVqg