During import, package loads embedded native extension module. This library hooks on loading, spawns a new system process and likely attempts to inject the encrypted payload in it for further execution (T1055.012). The code uses heavy analysis evasion techniques. Decrypted payload revealed capabilities to steal all kind of credentials (browsers data, AI tools, env variables, SSH keys, ...), inject code to redirect cryptocurrency transactions, spy-like activities (screenshots, keylogger) and worm-like activities using discovered GitHub tokens to publish malicious code into CI. It establishes persistence in %LOCALAPPDATA%\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe and also attempts to perform lateral movement in Kubernetes and AWS environments.

---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-syncagents

Reasons (based on the campaign):

• native-extension

• infostealer

• worm

• exfiltration-crypto

• exfiltration-credentials

• uses-telegram-bot

• keylogger

• clipboard-stealing

• exfiltration-ssh-keys

• The package contains code to detect if it is running in a sandbox environment.

• obfuscation

• exfiltration-browser-data

• exfiltration-env-variables

• persistence