tanvisoul9 npm Backdoors
npm packages published by a single operator that plant SSH backdoors and full remote access trojans on developer machines. All variants exfiltrate stolen data to the [email protected] mailbox, tying the packages to one actor.
discovered 2026-04-14
Objective
Gain persistent remote access to developer machines and steal credentials.
Packages
Indicators
- domainxienztiavkygvacpqzgr.supabase.cocommunicates-with
- domainndfcioahsbgsjmulpjgt.supabase.cocommunicates-with
- sha2564600db4fc30fb6ffa68deed4a25679e674bb3a3e8dae31f3dfc83bea0d757a8findicates
- sha2562e131f47090516e5a60553aa40d46823e08162390c1d6deb075cf317f00309f7indicates
- email[email protected]exfiltrates-to
- domain152.67.0.53communicates-with
- ipv4152.67.0.53communicates-with
- ipv4216.126.237.71communicates-with
Techniques
- ttpT1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
- ttpT1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttpT1041 Exfiltration Over C2 Channeluses
- ttpT1552.004 Unsecured Credentials: Private Keysuses
- ttpT1105 Ingress Tool Transferuses
- ttpT1071.001 Application Layer Protocol: Web Protocolsuses
- ttpT1102 Web Serviceuses
- ttpT1546 Event Triggered Executionuses
- ttpT1552.001 Unsecured Credentials: Credentials In Filesuses
- ttpT1539 Steal Web Session Cookieuses
