During import, the package exfiltrates sensitive data (credentials, SSH keys, cryptowallet's data). It also establishes persistence via a cronjob.

---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.

Campaign: 2026-06-spl-token-py

Reasons (based on the campaign):

• crypto-related

• typosquatting

• exfiltration-ssh-keys

• exfiltration-credentials

• exfiltration-crypto

• exfiltration-env-variables

• persistence

• uses-telegram-bot

• The package contains code to detect if it is running in a sandbox environment.