{"campaign":{"name":"fucktestpad npm Malware","slug":"fucktestpad-npm-malware","href":"/ti/campaigns/fucktestpad-npm-malware","description":"npm packages from a single operator delivering Windows RATs and browser cookie/credential stealers. Every variant exfiltrates to fucktestpad@opemails.com, linking the packages to one actor.","objective":"Deploy RATs and steal browser cookies and credentials from developer machines.","aliases":[],"discovered_at":"2026-04-16"},"packages":[{"ecosystem":"npm","name":"ixpresso-core","href":"/ti/packages/npm/ixpresso-core","threat_types":["rat","credential_stealer","crypto_drainer","data_exfiltration","persistence","c2_agent"],"versions":["1.0.0","1.0.1","1.0.2"]},{"ecosystem":"npm","name":"godsplan","href":"/ti/packages/npm/godsplan","threat_types":["rat","credential_stealer","data_exfiltration","persistence","c2_agent"],"versions":["1.0.2","1.0.3","1.0.4","1.0.5","1.0.6","1.0.7","1.0.8"]},{"ecosystem":"npm","name":"eyevox","href":"/ti/packages/npm/eyevox","threat_types":["rat","credential_stealer","data_exfiltration","persistence","c2_agent"],"versions":["2.1.4","2.1.5","2.1.6","2.1.7","2.1.8","2.1.9","2.1.10","2.1.11"]},{"ecosystem":"npm","name":"exiouss","href":"/ti/packages/npm/exiouss","threat_types":["credential_stealer","data_exfiltration","rat","persistence"],"versions":["1.0.0"]}],"indicators":[{"kind":"domain","value":"discord.com","href":"/ti/ioc/domain/discord.com","context":"Network indicator from blog post"},{"kind":"ipv4","value":"0.0.0.0","href":"/ti/ioc/ipv4/0.0.0.0","context":"IP address indicator from blog post"},{"kind":"email","value":"fucktestpad@opemails.com","href":"/ti/ioc/email/fucktestpad@opemails.com","context":"Email indicator from blog post"},{"kind":"sha256","value":"e2fda5aa8397799669f29258f69e803cf05d322c1d93269eef6754ca024c3865","href":"/ti/ioc/sha256/e2fda5aa8397799669f29258f69e803cf05d322c1d93269eef6754ca024c3865","context":"SHA-256 hash from blog post"}],"ttps":[{"name":"Supply Chain Compromise: Compromise Software Dependencies and Development Tools","mitre_attack_id":"T1195.001","href":"/ti/ttps/T1195.001"},{"name":"Command and Scripting Interpreter: JavaScript","mitre_attack_id":"T1059.007","href":"/ti/ttps/T1059.007"},{"name":"Unsecured Credentials: Credentials In Files","mitre_attack_id":"T1552.001","href":"/ti/ttps/T1552.001"},{"name":"Exfiltration Over C2 Channel","mitre_attack_id":"T1041","href":"/ti/ttps/T1041"},{"name":"Unsecured Credentials: Private Keys","mitre_attack_id":"T1552.004","href":"/ti/ttps/T1552.004"},{"name":"Steal Application Access Token","mitre_attack_id":"T1528","href":"/ti/ttps/T1528"},{"name":"Steal Web Session Cookie","mitre_attack_id":"T1539","href":"/ti/ttps/T1539"},{"name":"Ingress Tool Transfer","mitre_attack_id":"T1105","href":"/ti/ttps/T1105"},{"name":"Application Layer Protocol: Web Protocols","mitre_attack_id":"T1071.001","href":"/ti/ttps/T1071.001"},{"name":"Web Service","mitre_attack_id":"T1102","href":"/ti/ttps/T1102"},{"name":"Event Triggered Execution","mitre_attack_id":"T1546","href":"/ti/ttps/T1546"}],"related_campaigns":[],"reports":[{"title":"ixpresso-core: Windows RAT Disguised as a WhatsApp Agent","url":"https://safedep.io/malicious-ixpresso-core-npm-rat","published_at":"2026-04-16"},{"title":"exiouss: Cookie Stealer Bundled in npm Exam Cheat","url":"https://safedep.io/malicious-exiouss-npm-exam-cheating-tool","published_at":"2026-05-01"}]}