Campaign · active

Repeated static TTP

Correlated evidence: js_obfuscated_fetch_exec:hex-decoded literal + network fetch + child-process exec — staged obfuscated-loader / dropper (hides the c2 url from literal-url detection).

25 releases259 max score90 confidence

First seen 2026-06-20 · last seen 2026-06-20

Member releases

@coinbase/[email protected]
@cyclonedx/[email protected]
@okx_ai/[email protected]
@okx_ai/[email protected]
@okx_ai/[email protected]
@okx_ai/[email protected]
@okx_ai/[email protected]
@qqbrowser/[email protected]
@qqbrowser/[email protected]
@qqbrowser/[email protected]

Timeline

Date (UTC)	Event
2026-06-20	expanded_campaign
2026-06-20	expanded_campaign
2026-06-20	expanded_campaign
2026-06-20	expanded_campaign
2026-06-20	expanded_campaign
2026-06-20	expanded_campaign
2026-06-20	expanded_campaign
2026-06-20	expanded_campaign
2026-06-20	expanded_campaign
2026-06-20	expanded_campaign
2026-06-20	expanded_campaign
2026-06-20	expanded_campaign
2026-06-20	expanded_campaign
2026-06-20	expanded_campaign
2026-06-20	expanded_campaign
2026-06-20	new_campaign

PkgRadar groups releases that share payloads, hashes, or publishers into campaigns and blocks them at the CI gate. Start free or see all live campaigns.