Our anti-viurs software, Cisco AMP, keeps quarantining Sublime. Looks Sublime Text has a Plugin_host.exe file trying to contact the url - hxxp://app[.]1self.co/v1/streams//events – (resolving to 195.22.26.248). This IP has a bad reputation. Has anyone else experienced this?

Background of this detection:

The accessing url/domain is resolve to the IP - 195.22.26.248 which is blacklisted IP (bad reputation). So the connection was detected and blocked by Cisco AMP as resolving IP is blacklisted.

Maybe a plugin doing this?

I can see https://packagecontrol.io/packages/1Self containing the name “1self” and pointing to the mensioned url.

I can’t say that I’ve ever faced a similar problem. I’m not sure what it can be connected with. I can say that if you installed Sublime from an official source, you definitely shouldn’t have any problems. The official publisher of this software will not deceive its users. It just doesn’t make any sense. So I advise you to reinstall Sublime from the official source! Although the source of this URL can be any application, even an ad blocker. So maybe you should visit https://www.softwaretesttips.com/best-free-ad-blocker/ to find a better adblocker.

This may be true only if setup was downloaded from official sublimehq website. If the PC is infected by some maleware or rootkit the download could also be redireced to an otherwise infected installer. There are still a couple of possible reasons for being tampered.