{
  "campaign": {
    "name": "emiltype/jsonspack",
    "slug": "emiltype-jsonspack",
    "href": "/ti/campaigns/emiltype-jsonspack",
    "description": "SafeDep-tracked npm operation by the account conodeeth (coxhazelqja151@outlook.com). Ships package pairs: a byte-for-byte clone of a popular library acts as an innocuous carrier and injects one malicious runtime dependency that is a repackaged legitimate library hosting a runtime-call-triggered RCE backdoor (no install hook, inert on require). Two pairs known: nodemon-sudo/tslint-conf re-shipped hours after npm took down the first pair nodemon-node/ts-await, reusing the same Pinata IPFS CID and jsonkeeper dead-drop. LOW/tentative resemblance to the DPRK-linked (Contagious Interview/BeaverTail) jsonkeeper+IPFS npm cluster — technique/infrastructure family only, NOT hard-indicator attribution; could be that cluster or a copycat.",
    "objective": "Remote code execution and (suspected) credential/browser-database theft on developer and server machines running applications that wire in the fake logger.",
    "aliases": [
      "jsonspack",
      "jsonspack.com",
      "conodeeth"
    ],
    "discovered_at": "2026-07-09"
  },
  "packages": [
    {
      "ecosystem": "npm",
      "name": "nodemon-sudo",
      "href": "/ti/packages/npm/nodemon-sudo",
      "threat_types": [
        "typosquat",
        "other"
      ],
      "versions": [
        "3.1.16"
      ]
    },
    {
      "ecosystem": "npm",
      "name": "tslint-conf",
      "href": "/ti/packages/npm/tslint-conf",
      "threat_types": [
        "c2_agent",
        "data_exfiltration",
        "other"
      ],
      "versions": [
        "7.2.1"
      ]
    },
    {
      "ecosystem": "npm",
      "name": "nodemon-node",
      "href": "/ti/packages/npm/nodemon-node",
      "threat_types": [
        "typosquat",
        "other"
      ],
      "versions": [
        "3.1.16"
      ]
    }
  ],
  "indicators": [
    {
      "kind": "sha256",
      "value": "aa9b9847e4ffd894a19ec9712848651882b0195de5f4953eef9b47791adddabf",
      "href": "/ti/ioc/sha256/aa9b9847e4ffd894a19ec9712848651882b0195de5f4953eef9b47791adddabf",
      "context": "nodemon-sudo@3.1.16 npm tarball (registry.npmjs.org/nodemon-sudo/-/nodemon-sudo-3.1.16.tgz)"
    },
    {
      "kind": "email",
      "value": "coxhazelqja151@outlook.com",
      "href": "/ti/ioc/email/coxhazelqja151@outlook.com",
      "context": "npm maintainer email for account conodeeth, publisher of all four packages"
    },
    {
      "kind": "url",
      "value": "https://jsonkeeper.com/b/XRGF3",
      "href": "/ti/ioc/url/url-701bed71dcb4",
      "context": "Active dead-drop in tslint-conf lib/caller.js; SafeDep: same dead-drop referenced by first-pair nodemon-node"
    },
    {
      "kind": "domain",
      "value": "jsonkeeper.com",
      "href": "/ti/ioc/domain/jsonkeeper.com",
      "context": "Public JSON paste service used as dead-drop C2. Shared TTP-family with express-session-js (DPRK Contagious Interview / Famous Chollima) — technique-level link, not hard attribution."
    },
    {
      "kind": "domain",
      "value": "peach-eligible-penguin-917.mypinata.cloud",
      "href": "/ti/ioc/domain/peach-eligible-penguin-917.mypinata.cloud",
      "context": "Pinata IPFS gateway, stage-2 host fetched by tslint-conf lib/caller.js (same CID shared with first-pair nodemon-node per SafeDep)"
    },
    {
      "kind": "url",
      "value": "https://peach-eligible-penguin-917.mypinata.cloud/ipfs/bafkreigjnxn5vnn34rc5r43ajwwkmk4akqpm4awmq5gdhakgszpeqiffsu",
      "href": "/ti/ioc/url/url-bdd77572dddf",
      "context": "Full stage-2 URL; IPFS CID bafkreigjnxn5vnn34rc5r43ajwwkmk4akqpm4awmq5gdhakgszpeqiffsu. GET with header x-secret-key: _, response .cookie eval'd via Function.constructor. Stage-2 deliberately NOT fetched."
    },
    {
      "kind": "url",
      "value": "https://jsonkeeper.com/b/4NAKK",
      "href": "/ti/ioc/url/url-9f4fc969fe0b",
      "context": "Orphaned base64 dead-drop in tslint-conf lib/const.js (unreferenced); reused tooling linking the new pair to the first pair"
    },
    {
      "kind": "sha256",
      "value": "d4b7add83e5c716b5e52082f713d71ec9d7bfd93e358d500d77c2393302dd004",
      "href": "/ti/ioc/sha256/d4b7add83e5c716b5e52082f713d71ec9d7bfd93e358d500d77c2393302dd004",
      "context": "tslint-conf@7.2.1 npm tarball (registry.npmjs.org/tslint-conf/-/tslint-conf-7.2.1.tgz)"
    },
    {
      "kind": "sha256",
      "value": "2956b023858d706a5e241cd28b845088e5f414c5f70bd5d8cb73cb427d081065",
      "href": "/ti/ioc/sha256/2956b023858d706a5e241cd28b845088e5f414c5f70bd5d8cb73cb427d081065",
      "context": "tslint-conf index.js (fake pino/express middleware main)"
    },
    {
      "kind": "sha256",
      "value": "541c35bd90653c9d7f93cdadb7f52c281d7a1375ffc9c0e118cf1d9df977dea7",
      "href": "/ti/ioc/sha256/541c35bd90653c9d7f93cdadb7f52c281d7a1375ffc9c0e118cf1d9df977dea7",
      "context": "tslint-conf lib/caller.js (stage-2 fetch + Function.constructor RCE)"
    },
    {
      "kind": "sha256",
      "value": "d10853dde92fdc48d8cb5505d89e0030fd35e1416a16a820fe5ec4aceef01c4f",
      "href": "/ti/ioc/sha256/d10853dde92fdc48d8cb5505d89e0030fd35e1416a16a820fe5ec4aceef01c4f",
      "context": "tslint-conf lib/const.js (orphaned; carries jsonkeeper b/4NAKK dead-drop)"
    },
    {
      "kind": "email",
      "value": "hello@jsonspack.com",
      "href": "/ti/ioc/email/hello@jsonspack.com",
      "context": "Forged author email (Alexus111) on tslint-conf@7.2.1"
    },
    {
      "kind": "domain",
      "value": "jsonspack.com",
      "href": "/ti/ioc/domain/jsonspack.com",
      "context": "Forged-author domain on tslint-conf (author Alexus111 <hello@jsonspack.com>, bugs URL jsonspack.com/issues); campaign namesake"
    }
  ],
  "ttps": [
    {
      "name": "Compromise Software Supply Chain",
      "mitre_attack_id": "T1195.002",
      "href": "/ti/ttps/T1195.002"
    },
    {
      "name": "Command and Scripting Interpreter: JavaScript",
      "mitre_attack_id": "T1059.007",
      "href": "/ti/ttps/T1059.007"
    },
    {
      "name": "Obfuscated Files or Information",
      "mitre_attack_id": "T1027",
      "href": "/ti/ttps/T1027"
    },
    {
      "name": "Deobfuscate/Decode Files or Information",
      "mitre_attack_id": "T1140",
      "href": "/ti/ttps/T1140"
    },
    {
      "name": "Web Service",
      "mitre_attack_id": "T1102",
      "href": "/ti/ttps/T1102"
    },
    {
      "name": "Ingress Tool Transfer",
      "mitre_attack_id": "T1105",
      "href": "/ti/ttps/T1105"
    },
    {
      "name": "Debugger Evasion",
      "mitre_attack_id": "T1622",
      "href": "/ti/ttps/T1622"
    }
  ],
  "related_campaigns": [],
  "reports": [
    {
      "title": "nodemon-sudo: an npm Backdoor With No Install Script",
      "url": "https://safedep.io/malicious-nodemon-sudo-tslint-conf-npm-backdoor",
      "published_at": "2026-07-09"
    }
  ]
}