{"campaign":{"name":"big.js Typosquat SSH Backdoor","slug":"big-js-typosquat-ssh-backdoor","href":"/ti/campaigns/big-js-typosquat-ssh-backdoor","description":"Cluster of big.js and biginteger typosquats (sjs-biginteger, bjs-biginteger, cjs-biginteger and lint-builder variants) that implant SSH backdoors and steal developer keys.","objective":"Implant SSH backdoors and steal developer keys via typosquats.","aliases":[],"discovered_at":"2026-04-09"},"packages":[{"ecosystem":"npm","name":"sjs-biginteger","href":"/ti/packages/npm/sjs-biginteger","threat_types":["credential_stealer","data_exfiltration","rat","persistence","c2_agent","typosquat"],"versions":["1.0.0"]},{"ecosystem":"npm","name":"sjs-lint-build1","href":"/ti/packages/npm/sjs-lint-build1","threat_types":["credential_stealer","data_exfiltration","rat","persistence","c2_agent","typosquat"],"versions":["1.0.0"]},{"ecosystem":"npm","name":"bjs-biginteger","href":"/ti/packages/npm/bjs-biginteger","threat_types":["credential_stealer","data_exfiltration","rat","persistence","c2_agent","typosquat"],"versions":["1.0.0"]},{"ecosystem":"npm","name":"bjs-lint-builder","href":"/ti/packages/npm/bjs-lint-builder","threat_types":["credential_stealer","data_exfiltration","rat","persistence","c2_agent","typosquat"],"versions":["1.0.0"]},{"ecosystem":"npm","name":"bjs-lint-builders","href":"/ti/packages/npm/bjs-lint-builders","threat_types":["credential_stealer","data_exfiltration","rat","persistence","c2_agent","typosquat"],"versions":["1.0.0"]},{"ecosystem":"npm","name":"cjs-biginteger","href":"/ti/packages/npm/cjs-biginteger","threat_types":["credential_stealer","data_exfiltration","rat","persistence","c2_agent","typosquat"],"versions":["1.0.0"]},{"ecosystem":"npm","name":"ts-lint-builds","href":"/ti/packages/npm/ts-lint-builds","threat_types":["credential_stealer","data_exfiltration","rat","persistence","c2_agent","typosquat"],"versions":["1.0.0"]}],"indicators":[{"kind":"domain","value":"cloudflareinsights.vercel.app","href":"/ti/ioc/domain/cloudflareinsights.vercel.app","context":"Network indicator from blog post"},{"kind":"domain","value":"cloudflarefirewall.vercel.app","href":"/ti/ioc/domain/cloudflarefirewall.vercel.app","context":"Network indicator from blog post"},{"kind":"sha256","value":"55bee3abfa26a78989baae1053a778d3b4a984d5451621a851211a45fe2a82b9","href":"/ti/ioc/sha256/55bee3abfa26a78989baae1053a778d3b4a984d5451621a851211a45fe2a82b9","context":"SHA-256 hash from blog post"},{"kind":"sha256","value":"02a00a158ceedaaf7a4bf53002a74d60339d4668d463831fe218905816b72e07","href":"/ti/ioc/sha256/02a00a158ceedaaf7a4bf53002a74d60339d4668d463831fe218905816b72e07","context":"SHA-256 hash from blog post"},{"kind":"sha256","value":"9d2037fc0ad9ada672d30e17a9496cbde392c5093a9fde0b8f16d28e2e0c50c7","href":"/ti/ioc/sha256/9d2037fc0ad9ada672d30e17a9496cbde392c5093a9fde0b8f16d28e2e0c50c7","context":"SHA-256 hash from blog post"},{"kind":"sha256","value":"7bff4518f4d49ddf3d04d8167a6f5f17aed9b3703290f65cf71c61ea61f0a7bc","href":"/ti/ioc/sha256/7bff4518f4d49ddf3d04d8167a6f5f17aed9b3703290f65cf71c61ea61f0a7bc","context":"SHA-256 hash from blog post"},{"kind":"sha256","value":"aa36d4bee44ee1d35af0e211e8cca957044c782b177787b1181d18d6d6323037","href":"/ti/ioc/sha256/aa36d4bee44ee1d35af0e211e8cca957044c782b177787b1181d18d6d6323037","context":"SHA-256 hash from blog post"},{"kind":"sha256","value":"f4914c528cf92a7e97ac3b24138afb86b4cd9db6960d92ffbbff36a1fb90ead9","href":"/ti/ioc/sha256/f4914c528cf92a7e97ac3b24138afb86b4cd9db6960d92ffbbff36a1fb90ead9","context":"SHA-256 hash from blog post"},{"kind":"sha256","value":"fc095d3e6a613e27d267d80b448101ef78b02ec07dd3993c734202839015fb54","href":"/ti/ioc/sha256/fc095d3e6a613e27d267d80b448101ef78b02ec07dd3993c734202839015fb54","context":"SHA-256 hash from blog post"},{"kind":"sha256","value":"86f60a2196c3d1355efdcfee41f1549c30c6081bf6c106d11e44a64691f8ebd3","href":"/ti/ioc/sha256/86f60a2196c3d1355efdcfee41f1549c30c6081bf6c106d11e44a64691f8ebd3","context":"SHA-256 hash from blog post"},{"kind":"email","value":"vanes.s.p.orit.a@googlemail.com","href":"/ti/ioc/email/vanes.s.p.orit.a@googlemail.com","context":"Email indicator from blog post"},{"kind":"email","value":"support@polymarket.com","href":"/ti/ioc/email/support@polymarket.com","context":"Email indicator from blog post"}],"ttps":[{"name":"Supply Chain Compromise: Compromise Software Dependencies and Development Tools","mitre_attack_id":"T1195.001","href":"/ti/ttps/T1195.001"},{"name":"Command and Scripting Interpreter: JavaScript","mitre_attack_id":"T1059.007","href":"/ti/ttps/T1059.007"},{"name":"Masquerading: package impersonation and typosquatting","mitre_attack_id":"T1036","href":"/ti/ttps/T1036"},{"name":"Unsecured Credentials: Credentials In Files","mitre_attack_id":"T1552.001","href":"/ti/ttps/T1552.001"},{"name":"Exfiltration Over C2 Channel","mitre_attack_id":"T1041","href":"/ti/ttps/T1041"},{"name":"Unsecured Credentials: Private Keys","mitre_attack_id":"T1552.004","href":"/ti/ttps/T1552.004"},{"name":"Ingress Tool Transfer","mitre_attack_id":"T1105","href":"/ti/ttps/T1105"},{"name":"Application Layer Protocol: Web Protocols","mitre_attack_id":"T1071.001","href":"/ti/ttps/T1071.001"},{"name":"Event Triggered Execution","mitre_attack_id":"T1546","href":"/ti/ttps/T1546"},{"name":"Obfuscated Files or Information","mitre_attack_id":"T1027","href":"/ti/ttps/T1027"}],"related_campaigns":[],"reports":[{"title":"big.js Typosquat Campaign Implants SSH Backdoors","url":"https://safedep.io/malicious-sjs-biginteger-npm-ssh-theft","published_at":"2026-04-09"}]}