Campaign · active

Repeated static TTP

Correlated evidence: js_hidden_powershell:hidden / non-interactive powershell invocation in package code — `-windowstyle hidden`, `irm | iex`, `windowshide: true`, or equivalent — used to download-and-run payloads on windows installers.

194 releases186 max score90 confidence

First seen 2026-05-30 · last seen 2026-06-03

Member releases

Timeline

Date (UTC)	Event
2026-06-03	expanded_campaign
2026-06-03	expanded_campaign
2026-06-03	expanded_campaign
2026-06-03	expanded_campaign
2026-06-03	expanded_campaign
2026-06-03	expanded_campaign
2026-06-03	expanded_campaign
2026-06-03	expanded_campaign
2026-06-03	expanded_campaign
2026-06-03	expanded_campaign
2026-06-03	expanded_campaign
2026-06-03	expanded_campaign
2026-06-03	expanded_campaign
2026-06-03	expanded_campaign
2026-06-02	expanded_campaign
2026-06-02	expanded_campaign
2026-06-02	expanded_campaign
2026-06-02	expanded_campaign
2026-06-02	expanded_campaign
2026-06-02	expanded_campaign

PkgRadar groups releases that share payloads, hashes, or publishers into campaigns and blocks them at the CI gate. Start free or see all live campaigns.