The package is a new version of the previously removed libhmac. The key parts, a malicious payload to inject into hijacked browser extensions, is not included in the package. The code allows hijacking browser extensions to - based on previous package - exfiltrate credentials. This package also contains code to create hidden SSH access to the machine with hardcoded credentials.

---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-05-libhmac

Reasons (based on the campaign):

• crypto-related

• exfiltration-credentials

• exfiltration-crypto

• exfiltration-browser-data