Indicators of Compromise

Every IOC SafeDep has linked to a malicious package or campaign — domains, IPs, emails, hashes, and crypto wallets.

value context campaigns
domain v3.jiathis.com Payload server. Hijacked JiaThis social sharing service domain (Beijing, 2009). Re-registered through GoDaddy, routed via Cloudflare. Serves gambling redirect payload on jia.js path with Referer gating. art.js path returns 404 as of 2026-07-03. Shared Cloudflare nameservers (paislee/sean) with mki.mom. 1
domain test.airsplu.cn Gambling redirect destination. Chinese gambling/adult content portal (2026 World Cup Navigation). Huawei CDN (45.197.102.29). Beijing timezone-gated redirect: 7PM-6AM 100%, daytime 30%. 1
domain s5gw.mki.mom Gambling portal backend. CNAME to 500info.win (Azure). Shares Cloudflare nameservers (paislee/sean) with jiathis.com, indicating same Cloudflare account. Baidu Analytics tracker a29b02d841cccc4c4b32f9c5dbebb0b0. 1
domain s5dh.club Gambling portal. 301 redirect to s5gw.mki.mom. Azure IPs (20.239.154.185, 20.2.192.146). Registered 2025-02-19 via GoDaddy. 1
domain 500info.win CNAME load balancer target for s5gw.mki.mom. DNS-only, no A record. 0
domain l1ewsu3yjkqeroy.xyz Former C2 sync endpoint (Phase 2). Cloudflare-fronted. /api/ip-sync/sync POST every 10s with channelCode CHMK6IG08F42496C22. DEAD as of 2026-07-03. 1
domain daohang.2023200.com Former gambling API backend. DEAD as of 2026-07-03. 0
ipv4 172.67.184.213 Cloudflare IP for v3.jiathis.com (Phase 3) 0
ipv4 104.21.59.230 Cloudflare IP for v3.jiathis.com (Phase 3) 0
ipv4 45.197.102.29 Huawei CDN IP for test.airsplu.cn gambling redirect 0
ipv4 20.239.154.185 Microsoft Azure IP for s5dh.club / s5gw.mki.mom gambling portal 0
ipv4 20.2.192.146 Microsoft Azure IP for s5dh.club / s5gw.mki.mom gambling portal 0
sha256 e27a0e28da18a7978dd0139bccf48ec5c39454fda6384c95fc0fb004b3b502a2 [email protected] npm tarball (Phase 3, published 2026-06-27 by npmpacketmaintainmember8) 1
sha256 7c59001d7bdd0dfb04b89d2de3d71b18975b20f22b2af880911413fb29cfdff0 v3.jiathis.com/code/jia.js gambling redirect payload (last-modified 2026-06-30). Baidu Analytics + time-gated redirect to test.airsplu.cn. 1
email [email protected] Phase 3 publisher account (npmpacketmaintainmember8). Published 4.13.7 on 2026-06-27. 1
url https://v3.jiathis.com/code/art.js Injected script URL in [email protected] and 4.13.7 (atob decoded from aHR0cHM6Ly92My5qaWF0aGlzLmNvbS9jb2RlL2FydC5qcw==). Returns 404 as of 2026-07-03. 1
url https://v3.jiathis.com/code/jia.js Injected script URL in [email protected] (with ?uid=artemplate param). Also loaded by legacy JiaThis widget embeddings across thousands of Chinese websites. LIVE, serving gambling redirect payload. 1
email [email protected] npm maintainer email for the marketfront account that published the 25 Wave 4 packages. Anonymous Tutanota (tutamail.com) address. Fifth publisher identity and fourth distinct email tied to the oob-moika-tech campaign (after mr.4nd3r50n/pik-libs, [email protected], [email protected]). 1
url /api/v1/events Wave 4 exfiltration path. Receives a gzip-compressed HTTPS POST carrying harvested credential-file contents, gated by a custom X-Secret header. The full C2 host is RC4+XOR-concealed in the payload and was NOT statically resolved — only the path is known. Detection artifact: outbound POST to /api/v1/events with an X-Secret header and gzip body from a workstation/CI agent during npm install. 1
domain npm.marketfront.io Fabricated internal npm registry lure in the @marketfront package READMEs (registry=https://npm.marketfront.io). Scope-parameterized social-engineering artifact (npm.<scope>.io), NOT confirmed functional infrastructure. Same pattern as npm.car-loans.io / npm.cloudplatform-single-spa.io / npm.t-in-one.io in prior waves. 1
domain telemetry.marketfront.io Fabricated telemetry cover-story endpoint referenced in @marketfront READMEs (telemetry.<scope>.io). Social-engineering artifact to normalize expected outbound network activity at install time; NOT the actual exfil destination (which is the RC4-concealed C2 at path /api/v1/events). 1
domain github.marketfront.io Fabricated GitHub Enterprise subdomain used as the repository.url in @marketfront package metadata (git+https://github.marketfront.io/platform/<pkg>.git). Scope-parameterized social-engineering artifact (github.<scope>.io); not confirmed functional infrastructure. 1
sha256 3a24e0fd22dce86e897b09cdb146514a0dcf2430a5d3f307c6b5959155c34b33 postinstall.js payload SHA256 in @emcd-vue/[email protected] (Wave 3 scope, republished/live as of 2026-07-02). Corroborates the same-operator link across waves. 1
sha256 78b06a93c16d990d896ed2c77f48097977ae452f009c0345b5396efdf963a97c postinstall.js payload SHA256 in @emcd-vue/[email protected] (Wave 3 scope, republished/live as of 2026-07-02). 1
sha256 acb6f87e440ccb5efe299313e7adb506586e31a6e7381515a9fb2057965f715e postinstall.js payload SHA256 in @emcd-vue/[email protected] (Wave 3 scope, republished/live as of 2026-07-02). 1
email [email protected] npm maintainer email for the t.tqm.mfe account that published @tqm-mfe/main. Anonymous Proton Mail address and a NEW actor identifier — distinct from [email protected] (the same-day @marketfront Wave 4 sibling). Sixth publisher identity and fifth distinct email tied to the oob-moika-tech campaign (after mr.4nd3r50n/pik-libs, [email protected], [email protected], [email protected]). 1
md5 7c1a3a2eea2fa01246179bcfcd2648b0 scripts/postinstall.js md5 in @tqm-mfe/[email protected]. ~182 KB obfuscator.io-style single-line payload, RC4/XOR-behind-base64 obfuscation class (same family as @marketfront Wave 4). Differs from the 5.5.0 postinstall.js. 1
md5 eba5d3fa62ff3bbcd9d3a75d7f884de2 scripts/postinstall.js md5 in @tqm-mfe/[email protected] (dist-tag latest, changelog claims 'Added ARM64 support'). Differs from the 5.4.7 postinstall.js md5, indicating a re-obfuscated / updated payload between the two ~2h-apart versions. 1
md5 7f01e8546af142347587931cf56cc47a dist/index.js md5 in @tqm-mfe/main (identical across 5.4.7 and 5.5.0). Non-functional decoy: module.exports = require('../src/index.js'), where ../src/index.js is absent from the tarball — the library cannot load, so only the postinstall hook runs. Same decoy-facade pattern as @marketfront Wave 4. 1
domain docs.tqm-mfe.io Fabricated docs domain in @tqm-mfe/main metadata (homepage https://docs.tqm-mfe.io/platform/main). Scope-parameterized social-engineering artifact (docs.<scope>.io); NOT confirmed functional infrastructure. 1
domain jira.tqm-mfe.io Fabricated Jira domain in @tqm-mfe/main metadata (bugs.url https://jira.tqm-mfe.io/projects/PLATFORM). Scope-parameterized social-engineering artifact (jira.<scope>.io); NOT confirmed functional infrastructure. 1
domain npm.tqm-mfe.io Fabricated internal npm registry lure in the @tqm-mfe/main README (registry=https://npm.tqm-mfe.io). Scope-parameterized social-engineering artifact (npm.<scope>.io) to imply a private registry (the precondition for dependency confusion); NOT confirmed functional infrastructure. 1
domain telemetry.tqm-mfe.io Fabricated telemetry cover-story endpoint referenced in the @tqm-mfe/main README (telemetry.<scope>.io). Social-engineering artifact to normalize expected outbound network activity at install time; NOT the actual exfil destination (which is the RC4-concealed, unresolved C2). 1
domain github.tqm-mfe.io Fabricated GitHub host used as the repository.url in @tqm-mfe/main metadata (git+https://github.tqm-mfe.io/platform/main.git). Scope-parameterized social-engineering artifact (github.<scope>.io); NOT confirmed functional infrastructure. 1
sha256 ceff7c51d70832c3ec8dd2744b606a23b3c924ef664ae23439b9b742ea154108 Decrypted Bun bootstrapper (_b blob), identical across all 20 LeoPlatform infected packages 1
sha256 9f93d77d32833a515bc406c46da477142bb1ac2babeecb6aa42f98669a6db015 Decrypted worm payload (_p blob), identical across all 20 LeoPlatform infected packages (781,580 bytes) 1
sha1 24a0d9e496ec07ca978fab602d5f5e0b39fa03a0 Infected tarball SHA1: leo-logger-1.0.8.tgz 0
sha1 5e75c14b8acd5752819ab7a10874ddd6389f5238 Infected tarball SHA1: serverless-convention-2.0.4.tgz 0
sha1 e973173fb757d2dab9c6424b440dd9f7cbe4f14a Infected tarball SHA1: leo-cache-1.0.2.tgz 0
sha1 a8cb86b78ca56befe90dc466642cb04b98079909 Infected tarball SHA1: rstreams-shard-util-1.0.1.tgz 0
github_repo LeoPlatform/Nodejs GitHub repo with orphan snapshot-f121a878 branch carrying worm payload and weaponized Dependabot workflow 1
github_repo LeoPlatform/auth-sdk GitHub repo with orphan snapshot-463d9ff7 branch carrying worm payload 1
github_repo LeoPlatform/Leo GitHub repo with orphan snapshot-afacc302 branch carrying worm payload 1
email [email protected] Compromised npm maintainer account (czirker / Clint Zirker), patient zero for the LeoPlatform wave. Single maintainer on all 20 infected packages. 0
domain wshu.net SUPPORTING signal, NOT a unique attacker indicator. wshu.net is a PUBLIC DISPOSABLE-EMAIL provider (verified on disposable-email blocklists: disposable-email-domains, fakefilter, MISP warninglists, authgear free-email list, and in unrelated apps' temp-mail signup logs), so the domain alone catches many unrelated throwaway accounts and is a noisy pivot. The campaign uses the per-scope burner pattern <scope>-<6rand>@wshu.net across all 12 scopes; treat that pattern as corroborating evidence only when combined with the durable code fingerprint (shared runPrepare/onInstall javascript-obfuscator wrapper + byte-identical/near-identical payload blobs + the 2026-06-04 publish burst), not as a standalone domain pivot. The earlier noon-contracts npm package (publisher [email protected], 2026-05-10) shares only this disposable-email provider, not payload or code. 1
email [email protected] npm publisher email for the @apexcraft scope (root @apexcraft/nano-key). 1
email [email protected] npm publisher email for the @bytemend scope (@bytemend/mfebus). 1
email [email protected] npm publisher email for the @chunklab scope (@chunklab/hexparse). 1
email [email protected] npm publisher email for the @zynkit scope (@zynkit/jwtbytes and the @zynkit/probe stub). 1
email [email protected] npm publisher email for the @petitcode scope (@petitcode/eb-retry). 1
email [email protected] npm publisher email for the @tinyfox scope (@tinyfox/shapecheck). 1
email [email protected] npm publisher email for the @glitchpad scope (@glitchpad/throttler). 1
email [email protected] npm publisher email for the @thymelab scope (@thymelab/logfx). 1
sha256 618dfffb6829356c131fded9f4c6528b73b4f9d7ff1fc1d3b457599a12584e29 Obfuscated payload blob dist/cjs/seed.cjs in @apexcraft/nano-key 1.3.7 (277264 bytes). 1
sha256 a9a28f2e9f7e0348092682940b3bf63d47a63afc18eb8bfe628e5ddab0d73b47 Obfuscated payload blob dist/bootstrap.js in @bytemend/mfebus 1.4.2 (277306 bytes). 1
sha256 24c8f9b8ac17c2f88cc01d44543963206472112510962b68cf5f74d598b3b065 Obfuscated payload blob script/prelude.cjs in @chunklab/hexparse 1.1.6 (277265 bytes). 1
sha256 d06ee17d30ebb333ab2e5b6e8a1324fcf95edaaae17b6793ec0f3647338efda1 Obfuscated payload blob dist/prelude.cjs in @zynkit/jwtbytes 0.5.3 (282050 bytes). 1
sha256 32d02f806d58a6670f7cc9b93f1d85b22e0e0f535e1f90a62d86918033896f54 Obfuscated payload blob lib/warmup.js in @petitcode/eb-retry 1.3.5 (282294 bytes). 1
sha256 0d27ca72b6f02faf4db95effb18347a7e2fa2def2034707bf9e56fa217879a3b Obfuscated payload blob dist/bootstrap.cjs in @tinyfox/shapecheck 0.8.7 (282051 bytes). 1
sha256 68b4fe54a4c05cd0115535ebd4aa8d3cccb03ea5a685f440314814ba1b89e875 Obfuscated payload blob (262934 bytes) shipped BYTE-IDENTICAL in TWO campaign packages: @glitchpad/throttler 2.2.3 (primer.cjs) and @lazyutil/dater 0.9.4 (dist/lib/tzinit.cjs). Confirmed via cmp/sha256 on extracted tarballs. Evidence that the actor reuses identical compiled blobs in at least one case rather than always re-seeding polymorphic per-string-RC4 builds. 1
sha256 4e927f22ad04f4ac9b487ae11412fc2a55210188789ac29f3a47ad77931907a5 Obfuscated payload blob dist/bootstrap.js in @thymelab/logfx 2.15.5 (282151 bytes). 1
file_path require(_0x45af03['GyrZN']) Dynamically-obscured require with an identical variable name (_0x45af03) and proxy key (GyrZN) across most campaign payload blobs. Resolves a Node built-in module name from a decrypted RC4 string at runtime to keep it out of the static module graph. Cross-package code fingerprint. 1
email [email protected] npm publisher email for the @briskforge scope (@briskforge/envcheck). 1
email [email protected] npm publisher email for the @lazyutil scope (@lazyutil/dater). 1
email [email protected] npm publisher email for the @frostnode scope (@frostnode/waitfor). 1
email [email protected] npm publisher email for the @nullzero scope (@nullzero/urlcat, flagged version unpublished before inspection). 1
sha256 26ddfae644673e0ad65b63caaaf67c0f7dc6c2b2b4127bb5271f8d03fb62091a Obfuscated payload blob lib/preflight.js in @briskforge/envcheck 0.5.4 (277356 bytes). 1
sha256 2de602e6422a991346aaf0b74ed6bd525215f5177b9f7f267ccb4d82e919273d Obfuscated payload blob dist/cjs/tickinit.cjs in @frostnode/waitfor 0.10.5 (259358 bytes). 1
file_path require(_0x2cb1b0['UGeLH']) Variant of the campaign's dynamically-obscured require fingerprint, found in @frostnode/waitfor dist/cjs/tickinit.cjs. Same technique as the canonical require(_0x45af03['GyrZN']) with a different variable name and proxy key — confirms shared obfuscation template across re-seeded builds. 1
email [email protected] npm publisher email for the @gleamkit scope (@gleamkit/probe scope-reservation stub). Same <scope>-<6char>@wshu.net burner pattern; wshu.net is a public disposable-email provider (supporting signal only). 1
github_repo angelmaybeth21-oss/test Second-stage delivery (Amazon Inspector / Operation Friday Harvest). The obfuscated first-stage downloader pulls a ~10.6MB Rust infostealer from this account's GitHub Releases. STRONGER pivot than the shared disposable wshu.net email. Account angelmaybeth21-oss created 2026-06-03; repo 'test' now removed but the account is still live. Dropper URL pattern: github.com/angelmaybeth21-oss/test/releases/download/v1.0.0/{linux,mac,win.js}. SafeDep independently verified the account exists via the GitHub API this session. 1
github_repo smilingdusty233 Secondary GitHub delivery/staging account associated with the campaign (Amazon Inspector). Created 2026-05-31. SafeDep independently verified the account exists via the GitHub API this session. 1
url https://github.com/angelmaybeth21-oss/test/releases/download/v1.0.0/linux GitHub Releases dropper URL for the Linux Rust infostealer ELF second stage (Amazon Inspector). Pattern: .../v1.0.0/{linux,mac,win.js}. 1
url https://github.com/angelmaybeth21-oss/test/releases/download/v1.0.0/mac GitHub Releases dropper URL for the macOS Rust infostealer Mach-O second stage (Amazon Inspector). 1
url https://github.com/angelmaybeth21-oss/test/releases/download/v1.0.0/win.js GitHub Releases dropper URL for the Windows Rust infostealer second stage (Amazon Inspector). The win.js name is a masquerade; the artifact is the Windows binary. 1
domain api.telegram.org Telegram Bot API used as exfil C2 by the Windows variant of the Rust infostealer second stage (Amazon Inspector). Resolves to 149.154.166.110. Linux/macOS variants exfil over HTTP multipart/form-data instead. 1
ipv4 149.154.166.110 Telegram infrastructure IP for api.telegram.org, the Windows-variant exfil C2 of the Rust infostealer second stage (Amazon Inspector). 1
sha256 2457b2e775a5fe7a9e022ba77074a1b9aacb41b4fc0cc1d8a3dc66546599c5de Second-stage Rust infostealer Linux ELF (~10.6MB) downloaded from github.com/angelmaybeth21-oss/test/releases/download/v1.0.0/linux. Attributed to Amazon Inspector dynamic analysis (VirusTotal/CAPE). 1
sha256 b1c7b17f31a84e2596250121c3610ae5e0d592651940dd6c0dd74506f0f38313 Second-stage Rust infostealer macOS Mach-O downloaded from github.com/angelmaybeth21-oss/test/releases/download/v1.0.0/mac. Attributed to Amazon Inspector dynamic analysis. 1
sha256 11fe3a47333f63fd0e0a32ea16351eb302659aba983c07e4ea3dc9b09b618509 Second-stage Rust infostealer Windows binary (win.js) downloaded from github.com/angelmaybeth21-oss/test/releases/download/v1.0.0/win.js. Windows variant exfils via Telegram Bot API and is NOT anti-VM gated. Attributed to Amazon Inspector dynamic analysis. 1
file_path /tmp/_installer-0/ Host staging directory created by the downloader/second stage (Amazon Inspector). 1
file_path ~/.local/bin/<daemon> Persistence binary path for the Rust infostealer, masquerading as a benign daemon (observed names: colord, haveged). Paired with the systemd user unit at ~/.config/systemd/user/<daemon>.service (Amazon Inspector). 1
file_path ~/.config/systemd/user/<daemon>.service systemd USER service unit installed for persistence, masquerading as a benign daemon (colord, haveged). Loads ~/.local/bin/<daemon> (Amazon Inspector). 1
file_path ~/.local/state/<daemon>/{install.nonce,machine.id} Host state artifacts (install nonce + machine id) written by the Rust infostealer second stage (Amazon Inspector). 1
file_path __[0-9A-F]{10}_TAG Re-entrancy guard variable-name pattern in the obfuscator.io first-stage blobs (e.g. __EE9863E13F_TAG). Together with the string-array function name it defines the 5 build clusters (A=__EE9863E13F_TAG, B=__7D0A53D40B_TAG, C=__38CC632841_TAG, D=__70FE9F7AB6_TAG, E=__4C6BA78C7C_TAG). Members in the same cluster share an obfuscator seed, explaining the byte-identical blob reuse (Amazon Inspector + SafeDep). Hunt as a code/regex fingerprint. 1
ipv4 192.168.54.1 C2 host for MYRA RAT. RFC 1918 private address, unusual for public npm malware. Port 4444 (C2), port 5555 (screen viewer). Suggests lab/testing environment or internal network targeting. 0
email [email protected] npm publisher email for account kimijohn01, used to publish all 6 versions of apintergrationpost. Throwaway Proton Mail account. 0
sha256 6f4da8919cef1623f7a6a08cb66fc1b3d7f3e5d13f4f3b03c378c0f4a797f52f apintergrationpost v4.0.1 tarball hash 0
sha256 bff1cee1548dfc29da7618e11fcc2569ac849f9544056b89cbaa66d0874c1788 apintergrationpost v4.0.2 tarball hash 0
sha256 ba8e9452c53f5b66e47cc55e4e3531c1c59113950e49cf4eb5f14df1066f6390 apintergrationpost v4.0.3 tarball hash 0
sha256 cc1287f3eb21f176e6337db4739975c457578f4b3f54fd58c899b711f4cbc58f apintergrationpost v4.0.4 tarball hash 0
sha256 2253a51ce77c72ca1cad59fac8827a82d835bb64738cec42a2fa0d77bfac8b7e apintergrationpost v4.0.5 tarball hash 0
sha256 a6c687f276034f5bcf8070b750060c840a80a97e350592a015ed6e0974be87c4 apintergrationpost v4.0.6 tarball hash 0
file_path /usr/local/lib/.libcache.so LD_PRELOAD rootkit shared object. Hooks readdir/stat to hide MYRA files and processes. Compiled from C source during npm postinstall. 0
file_path /usr/local/lib/.cache-update.sh MYRA RAT wrapper/launcher script. Invoked by cron (*/13 * * * *) and profile.d. Sets LD_PRELOAD and launches the Node.js RAT agent. 0
file_path /etc/profile.d/.sh.local Login persistence. Sourced on every shell login to relaunch MYRA RAT via .cache-update.sh. 0
file_path /usr/lib/systemd/systemd-userdbd Overwritten with Node.js binary. MYRA RAT masquerades as systemd-userdbd service for process blending. 0
domain stitch-production.org C2 domain for credential exfiltration. Registered via GoDaddy on 2026-06-19T11:07:09Z, 75 minutes before first package publish. Cloudflare-fronted. Backend nginx/1.18.0 (Ubuntu). Mimics stitch.withgoogle.com production API. 0
ipv4 172.67.189.185 Cloudflare IP for stitch-production.org C2 domain 0
ipv4 104.21.65.94 Cloudflare IP for stitch-production.org C2 domain 0
url https://stitch-production.org/api/v1 C2 endpoint. Credential exfiltration via GET query parameters: ?src=<source>&user=<email>. Fallback beacon: ?email-not-found=true 0
email [email protected] npm publisher email for @withgoogle/stitch-sdk. Throwaway account. 0
sha256 ba5b2a9a7fe596734fb69bdf1a35071d1a2f435a36e8c870bd4390c562d9f614 @withgoogle/stitch-sdk v0.1.1 tarball hash 0
sha256 638b523ddd3382b622c412e37f274db1a9a6505893fa7236183f0b67a5355e94 @withgoogle/stitch-sdk v0.1.2 tarball hash 0
github_repo maximus-mcmillan/stitch-sdk Fabricated repository URL in package.json. GitHub user and repo do not exist (404 / deleted). 0
email [email protected] Operator email on the compromised `ehindero` npm account at time of the malicious @mastra republish. 1
email [email protected] Original email on the `ehindero` npm account during its clean @mastra/core alpha publishes (2024-11 to 2025-02); same account, later changed to tutamail. Account-takeover indicator. 1
email [email protected] Email of the `sergey2016` npm account that published the easy-day-js dropper. Sibling <name>[email protected] pattern shared with the operator. 1
ipv4 23.254.164.92 Stage-2 download host (dropper). HTTPS GET to https://23.254.164.92:8000/update/49890878. Hostwinds, PTR hwsrv-1327786.hostwindsdns.com. User-Agent gated: serves payload only to Node default UA. 1
ipv4 23.254.164.123 RAT stage-2 C2 (still live at analysis time). HTTPS POST to https://23.254.164.123/49890878. Hostwinds, PTR hwsrv-1327785.hostwindsdns.com. Fronts an expired wolfSSL test cert CN=www.wolfssl.com. 1
url https://23.254.164.92:8000/update/49890878 Dropper stage-2 retrieval URL; returns the 12-byte-hex-named JS RAT loader only to Node default User-Agent. 1
url https://23.254.164.123/49890878 RAT stage-2 C2 endpoint; base64-encoded JSON beacon/command protocol (type:prepare/tpcsr/r0), default 10-minute cycle. Campaign path /49890878 shared with the dropper. 1
sha256 221c45a790dec2a296af57969e1165a16f8f49733aeab64c0bbd768d9943badf Stage-2 payload: 41 KB obfuscated multi-platform cryptocurrency-stealer RAT. 1
sha256 4a8860240e4231c3a74c81949be655a28e096a7d72f38fbe84e5b37636b98417 [email protected] npm tarball (clean precursor, no install hook). 1
sha256 ae70dd4f6bc0d1c8c2848e4e6b51934626c4818dcb5af99d080ddbd7dc337185 [email protected] npm tarball (armed: postinstall RAT dropper setup.cjs). 1
sha256 2e2340f2ab71f321d3ef6fb9a7542fb9f30f3c65ba7ef924fcd8acc63829b5bf @mastra/[email protected] npm tarball (republished by ehindero, dist.attestations=null, easy-day-js dependency injected). 1
file_path setup.cjs [email protected] postinstall dropper (obfuscator.io custom-base64 string-array). Sets NODE_TLS_REJECT_UNAUTHORIZED=0, fetches stage 2, spawns detached node child, then self-deletes (fs.rmSync(__filename)). 1
file_path .pkg_history Marker file written to os.tmpdir() by setup.cjs (contains __dirname). 1
file_path .pkg_logs Marker file written to os.tmpdir() by setup.cjs (bytes of "easy-day-js" XOR 0x80). 1
file_path ~/Library/LaunchAgents/com.nvm.protocal.plist macOS RAT persistence LaunchAgent (typosquats nvm tooling). 1
file_path ~/Library/NodePackages/protocal.cjs macOS RAT payload body disguised as Node tooling. 1
file_path ~/.config/systemd/user/nvmconf.service Linux RAT persistence systemd user unit (typosquats nvm tooling). 1
file_path ~/.config/NodePackages/config.json Linux RAT config persistence (UID/PrimaryUrl/Cycle). 1
file_path C:\ProgramData\NodePackages Windows RAT persistence/config directory. 1
url https://files.catbox.moe/j4loim.chk Decoded C2 / payload URL, reconstructed from endpointmap's _ep+_p byte arrays XOR-decoded with the name-derived key 'endpoint'. catbox.moe is a public anonymous file host abused for inbound payload staging. 1
domain files.catbox.moe Payload staging host. catbox.moe flagged by 6/92 VirusTotal vendors at analysis time. Shared atom with LofyGang (lofygang-undicy-http) but used here for INBOUND payload staging vs LofyGang's OUTBOUND exfil — coincidental shared infra, NOT attribution. 1
domain deltajohnsons.com Custom throwaway email domain shared across all five npm maintainer accounts (one unique random local-part per package). Strongest cluster fingerprint for this operator. 1
email [email protected] procwire maintainer email. 1
email [email protected] routecraft maintainer email. 1
email [email protected] endpointmap maintainer email. 1
email [email protected] bytecraft maintainer email. 1
email [email protected] staticlayer maintainer email. 1
email [email protected] Invented author persona 'Anton Kuznetsov' (akuznetsov-oss org packages: procwire, routecraft). 1
email [email protected] Invented author persona 'Viktor Petrov' (vpetrov-oss org packages: bytecraft, endpointmap, staticlayer). 1
github_repo akuznetsov-oss Fabricated GitHub organization (now 404) for procwire and routecraft. 1
github_repo vpetrov-oss Fabricated GitHub organization (now 404) for bytecraft, endpointmap, staticlayer. 1
file_path lib/setup.js procwire preinstall entrypoint: win32 guard, name-derived XOR key, C2 decode, worker.init(). 1
file_path lib/registry.js endpointmap metadata-only C2 store: XOR-encoded _ep and _p byte arrays disguised as endpoint constants. 1
domain olrh4mibs62l6kkuvvjyc5lrercqg5tz543r4lsw3o6mh5qb7g7sneid.onion Tor hidden-service C2 for the Atomic Arch implant. Beacon POST /api/agent HTTP/1.0; secondary-payload staging at /bin/linux with hash verification at /bin/sha256/linux. Onion host is XOR-obfuscated in the binary (32-byte repeating key at offset 0x1AA60, 62-byte ciphertext at 0x2DA96). Same /api/agent beacon path as IronWorm. 1
sha256 6144d433f8a0316869877b5f834c801251bbb936e5f1577c5680878c7443c98b Dropper ELF inside [email protected] (./src/hooks/deps). Stripped Rust-async Linux ELF64 PIE, entry 0xeae00, 3,040,376 bytes. MD5 42b59fdbe1b72895b2951412222ebf40. 1
md5 42b59fdbe1b72895b2951412222ebf40 MD5 of the atomic-lockfile dropper ELF (./src/hooks/deps). 1
sha256 7883bda1ff15425f2dbe622c45a3ae105ddfa6175009bbf0b0cad9bf5c79b316 Linux ELF payload embedded in the js-digest npm package (Atomic Arch wave-2 / bun-delivered variant). 1
sha256 47893d9badc38c54b71321263ce8178c1abb10396e0aadf9793e61ec8829e204 Secondary payload fetched from the Tor C2 at /bin/linux (verified against /bin/sha256/linux). Suspected cryptominer; detection hint is modification of /usr/bin/monero-wallet-gui. 1
file_path src/hooks/deps Path of the Rust-async ELF infostealer dropper inside the atomic-lockfile npm tarball; invoked by the package.json preinstall hook (preinstall: ./src/hooks/deps). 1
file_path scales.bpf.c eBPF rootkit component source filename. Hooks getdents64() to hide PIDs from /proc, filenames from directory listings, and socket inodes from /proc/net/tcp + netlink (NETLINK_SOCK_DIAG). Pinned BPF maps /sys/fs/bpf/hidden_pids, /sys/fs/bpf/hidden_names, /sys/fs/bpf/hidden_inodes. Kills ptrace (PTRACE_ATTACH/PTRACE_SEIZE). IronWorm equivalent was q2.bpf.c. 1
github_repo fardewoak/nodejs-argo GitHub repo hosting a container image (ghcr.io herbsobering430) tied to the npm publisher herbsobering; appears to be reverse-shell / proxy tooling associated with the Atomic Arch operator. 1
url https://o4511539639222272.ingest.de.sentry.io/api/4511539669368912/envelope/ Sentry ingest (envelope) endpoint abused as the C2/exfiltration drop. build.rs POSTs stolen git metadata and source diffs here via curl. Sentry org ID o4511539639222272, project ID 4511539669368912, region host ingest.de.sentry.io. 0
domain o4511539639222272.ingest.de.sentry.io Region-pinned Sentry ingest host (org subdomain o4511539639222272, EU/de region) used for exfiltration. 0
github_repo cenotelie/onering Source repository of the onering crate; malicious build.rs introduced in commit 45e552f541dd96c2ac224d1b97cb7cda1c1d63e9. 0
file_path build.rs Cargo build script added to the crate; executes at compile time on the consumer machine and performs the data collection and exfiltration. 0
url https://8197ee42c4f59c83f4cc6d48f5bae821@o4511539639222272.ingest.de.sentry.io/4511539669368912 Full Sentry DSN embedded in the envelope 'dsn' field. The public key 8197ee42c4f59c83f4cc6d48f5bae821 is the most specific attributable indicator in the payload (distinct from the bare ingest URL). DSN form: https://<public_key>@o<org>.ingest.<region>.sentry.io/<project_id>. Hunt for the literal key 8197ee42c4f59c83f4cc6d48f5bae821 in package sources and outbound traffic. 0
file_path Cargo.toml Dependency-level indicator: the malicious commit adds a build-dependency 'uuid = { version = "1.23", default-features = false, features = ["v4"] }' to Cargo.toml, used for Uuid::new_v4().as_simple() to generate the Sentry event_id. An otherwise-unexpected 'uuid' build-dep appearing alongside a new build.rs is a strong combined signal. 0
sha256 51b4dd39a15af1e28e97adc375849d688423ec3d88e8010644395fcdea52a3cc core/telemetry/_hooks.py — Python stager injected into gpt-pilot; derived from edxeth/Shai-Hulud-Open-Source PYTHON_LOADER.py 1
sha256 c96f37e1b9cdc9683a300909492ed9f770b620d0037e5b80e23753cba7ca4077 core/telemetry/_runtime.bin — 758 KB Bun JS payload with // @bun @bun-cjs header, MxGPr9 string-array rotation obfuscation, fromCodePoint decoder 1
file_path core/telemetry/_hooks.py Python stager file path in compromised gpt-pilot repository 0
file_path core/telemetry/_runtime.bin Bun JS payload file path; .bin extension used to blend with compiled asset naming conventions 0
file_path core/telemetry/.loader.lock Run-once lock file; presence indicates prior stager execution on the host 1
github_repo Pythagora-io/gpt-pilot Compromised Python AI coding assistant repository; injected via direct PAT push 1
github_repo edxeth/Shai-Hulud-Open-Source Attacker toolkit repository (created 2026-05-13); contains src/assets/PYTHON_LOADER.py — the template for the gpt-pilot stager 1
github_repo deadbeef3137/Shai-Hulud-Open-Source Fork of attacker toolkit edxeth/Shai-Hulud-Open-Source 0
file_path tools/setup ~976 KB UPX-packed Rust ELF infostealer binary dropped inside the malicious npm tarball; invoked by the package.json preinstall hook (preinstall: ./tools/setup). 1
file_path .github/scripts/precheck Alternate in-repo path for the IronWorm Rust binary dropper, committed under the spoofed claude author identity. 1
file_path q2.bpf.c eBPF rootkit component source filename recovered from .BTF.ext debug metadata left in the embedded ELF object (214 verbatim source lines). Provides process hiding (/proc rewriting), TCP socket hiding (netlink filtering), and anti-debugging (ptrace interception, SIGKILL). 1
url http://127.0.0.1:8738 Local loopback HTTP listener used to capture wallet credential POSTs (Exodus desktop wallet password + BIP-39 seed mnemonic injected from the browser/app). 1
url https://temp.sh Fallback exfiltration host (public file-sharing service), reached over Tor via POST /upload when the primary Tor hidden-service C2 is unavailable. Same fallback as IronWorm. 2
url tor://api/agent Primary C2 beacon path /api/agent served over a Tor hidden service (.onion address not published by the researcher). Provides remote shell plus file download/execute. Tor reached via custom torrc + downloaded Tor expert bundle. 1
url https://registry.npmjs.org/-/npm/v1/oidc/token/exchange/package npm OIDC Trusted Publishing token-exchange endpoint abused for self-replication: mints a package-scoped automation token without stored credentials, then republishes trojanized versions. 1
wallet 0x7e28D9889f414B06c19a22A9Bd316f0AC279a4d6 Operator's own Ethereum wallet, derived from a hardcoded BIP-39 recovery phrase ('bench crane defense corn wheel trial news abuse finish better paddle slush') left inside the binary and present in the malware's wallet skip-list. Near-empty test wallet; an OPSEC failure that aids attribution. 1
github_repo asteroid-dao/eternal-storage Victim GitHub repo poisoned by IronWorm. Malicious commit SHA a8f0c75a77698759413dbadcb99b62709816ed42 (backdated, spoofed claude author). 1
github_repo asteroid-dao/asteroid-protocol Victim GitHub repo poisoned by IronWorm. Malicious commit SHA 5d7c93caf50a447a8d48cafe2e5cff6b47618b13. 1
github_repo alisista/aht-testnet Victim GitHub repo poisoned by IronWorm. Malicious commit SHA 10c619e75181d07ddcccb5c1f62766c85fef08df. 1
github_repo ocrybit/mweb3waves Victim GitHub repo (compromised account ocrybit) poisoned by IronWorm. Malicious commit SHA 0fe6a098fe698e586188e0f2e851ef43f1a35958. 1
github_repo ocrybit/by-coffeescript Victim GitHub repo (compromised account ocrybit) poisoned by IronWorm. Malicious commit SHA fd64413119575fa119eaa9f94d32208c7d916796. 1
email [email protected] npm maintainer email for account speedsteraxios (faster-axios publisher). Offensive/racist throwaway. Weak actor selector. 1
sha256 f89694ba247a7a67e582572094c9f19d2e09882eff8917f78125d54b733bd24e [email protected] npm tarball 1
sha256 80c18e0d71a31a2e66d8796c6d7081fa3414c1801057131f1cd851c87c1a029e [email protected] npm tarball 1
sha256 bc46e88b1fdf8c27e3404146306b4651f69728f7d8d939a219dfbcb5a23ef69a Stage 4 hello.exe. PE32 NSIS self-extracting installer, 86,235,515 bytes (~86MB). Contains electron-builder Electron app with Epsilon Stealer in resources/app.asar -> src/index.js (3,360 lines). NSIS header references www.inkscape.org (decoy). 1
url https://cold5.gofile.io/download/web/c5d2304a-2ede-4fd8-904b-9a6cdd3f8a6c/analyst.js faster-axios v1.17.3 stage-2 delivery URL (gofile.io file hosting). Now returns landing page; likely token-gated or removed. 1
url https://apparently-movers-mysql-heights.trycloudflare.com/download/datab1 faster-axios v1.17.4 stage-2 delivery URL (Cloudflare quick-tunnel C2). LIVE, returned HTTP 200. Stage 3 = Windows-only dropper. 1
url https://apparently-movers-mysql-heights.trycloudflare.com/download/epsilon Stage 4 download URL. Dropper fetches hello.exe to %TEMP% and runs via child_process.execFile. 1
url https://apparently-movers-mysql-heights.trycloudflare.com/download/browser Shellcode download URL. Epsilon Stealer fetches XOR-encoded (key 0xAA) shellcode for process injection into dllhost.exe. 1
domain apparently-movers-mysql-heights.trycloudflare.com Cloudflare quick-tunnel C2 host for faster-axios. Serves: stage-2 delivery (/download/datab1), stage-4 PE (/download/epsilon), and shellcode (/download/browser). 1
domain recorded-distinct-face-girlfriend.trycloudflare.com Epsilon Stealer exfil API tunnel. Endpoints: /customer (registration), /upload (file exfil), /discord-token (Discord token exfil), /clip (clipboard data). 1
url https://recorded-distinct-face-girlfriend.trycloudflare.com/customer Epsilon Stealer exfil API base. Sub-endpoints: /upload, /discord-token, /clip. 1
domain consequences-faces-weblogs-clinical.trycloudflare.com SHARED INFRASTRUCTURE linking turbo-axios and faster-axios (high confidence same operator). turbo-axios v1.17.2 used this tunnel as stage-2 C2 at /download/datab1. faster-axios Epsilon Stealer source references this tunnel as DOWNLOAD_URL constant (line 99) at /download/load. Campaign-level pivot indicator. 1
url https://consequences-faces-weblogs-clinical.trycloudflare.com/download/load Secondary download URL used by Epsilon Stealer (faster-axios) for additional payload retrieval. 1
url https://consequences-faces-weblogs-clinical.trycloudflare.com/download/datab1 turbo-axios v1.17.2 stage-2 C2 endpoint. Same tunnel reused in faster-axios Epsilon Stealer source. Key infrastructure pivot linking both packages to one operator. 1
domain philosophy-moms-incoming-milton.trycloudflare.com Cloudflare quick-tunnel C2 for turbo-axios v1.17.3 stage-2 delivery. Endpoint: /download/datab1. Rotated tunnel after consequences-faces-weblogs-clinical was used for v1.17.2. 1
url https://philosophy-moms-incoming-milton.trycloudflare.com/download/datab1 turbo-axios v1.17.3 stage-2 delivery URL. Rotated Cloudflare quick-tunnel with same /download/datab1 path pattern as all other campaign tunnels. 1
domain prep-integer-lit-preferences.trycloudflare.com WebSocket RAT gateway for Epsilon Stealer. Persistent WSS connection with auto-reconnect. Supports arbitrary cmd.exe/powershell execution with real-time stdout streaming. 1
file_path %TEMP%\hello.exe Windows drop path for stage-4 NSIS PE, executed via child_process.execFile. 1
file_path %LOCALAPPDATA%\Microsoft\Windows\0\svchost.exe Epsilon Stealer persistence copy. Binary copied here and launched via HKCU Run key on reboot. 0
file_path HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost Registry Run key set by Epsilon Stealer for boot persistence. Points to %LOCALAPPDATA%\Microsoft\Windows\0\svchost.exe. 0
file_path %TEMP%\browser-extraction-<username> Staging directory for injected browser credential data. <username> replaced with victim's Windows username. 0
file_path %TEMP%\epsilon-<username> Main staging directory for all Epsilon Stealer exfil data. <username> replaced with victim's Windows username. 0
github_repo speedsteraxios npm publisher account handle for faster-axios (used as weak actor selector; not a confirmed GitHub repo). 1
email [email protected] npm maintainer email for the emcd-vue account that published the Wave 3 packages. Anonymous Proton Mail address. Fourth email identity tied to the oob-moika-tech campaign. 1
domain emcd-vue.io Fake domain used in Wave 3 package README and metadata to impersonate the EMCD organization. Not related to real emcd.io. Social engineering artifact. 1
domain github.emcd-vue.io Fake GitHub subdomain used as the repository URL in @emcd-vue package metadata (git+https://github.emcd-vue.io/platform/auth.git). Social engineering artifact designed to mimic a private GitHub Enterprise instance. 0
file_path ~/.emcd-vue_init.js Second-stage dropper written to the user home directory (not OS temp dir) by the Wave 3 postinstall hook, then spawned detached. Dot-hidden file. Persistence upgrade over Waves 1+2 which used os.tmpdir(). 1
file_path ~/.emcd-vue_init/ Home-directory cache directory used for run-once deduplication. Contains JSON files keyed by hash(package_name + hostname + project_root). Wave 3 replacement for Wave 2's ~/.cache/._t-in-one_init/. 0
file_path EMCD_VUE_NO_TELEMETRY Functional kill switch environment variable checked by the Wave 3 postinstall code. Setting this variable causes the payload to exit early without beaconing. NOT the variable advertised in the README (which is EMCD_VUE_8D440FE1_NO_TEL — non-functional by design). 0
file_path EMCD_VUE_8D440FE1_NO_TEL README-advertised kill switch env var — deliberately mismatched from the functional code kill switch (EMCD_VUE_NO_TELEMETRY). Setting this variable does NOT prevent payload execution. Social engineering artifact: the 8D440FE1 hex fragment in the name indicates deliberate construction, not a typo. 0
sha256 031ba872d5a84bfb18115f432811e4b45180346a1bae653f7fd85f918e7bb3a3 [email protected] malicious tarball SHA256 1
sha256 df1732f5bfec12e066be44dee02ec8a243e4868d38672c1b1d065359dd735a14 index.js dropper SHA256 (ROT-9 + AES-128-GCM loader) 1
sha256 0dc06ecdaa63fe24859cfd955053c23245c536e4733480239d14bebf12688e35 decrypted Bun worm payload SHA256 1
url https://registry.npmjs.org/-/npm/v1/oidc/token/exchange/package/ npm OIDC-to-publish-token exchange endpoint abused for self-propagation 1
url https://github.com/oven-sh/bun/releases/download/bun-v1.3.13/ Bun runtime download URL used by the Miasma worm bootstrapper across all waves (inferred for Wave 5; unconfirmed until payload is reversed) 1
file_path /var/run/secrets/kubernetes.io/serviceaccount/token Kubernetes service account token harvested 1
file_path /var/run/docker.sock Docker socket abused for container escape 1
file_path /tmp/p<random>.js Temp file pattern for decoded worm payload before Bun execution (inherited from prior Miasma waves; unconfirmed for Wave 5 until payload is reversed) 1
file_path /tmp/b-<random>/bun runtime artifact (downloaded Bun runtime) 1
file_path /tmp/kitty-<random> runtime worm artifact 1
domain login.microsoftonline.com Azure managed identity / token endpoint queried 1
domain graph.microsoft.com Azure Graph API queried for identity data 1
email [email protected] spoofed/unconfirmed git author on malicious commits (Justin Orringer) 1
github_repo RedHatInsights/javascript-clients compromised repo; workflow ci.yml; branches oidc-4d5900f3, oidc-6523a11b; 15 packages 1
github_repo RedHatInsights/frontend-components compromised repo; workflow ci.yaml; branches oidc-61fff775, oidc-af10000d; 14 packages 1
github_repo RedHatInsights/platform-frontend-ai-toolkit compromised repo; workflow release.yml; branches oidc-2530ec68, oidc-93b9a955; 3 packages 1
email [email protected] npm maintainer email for the t-in-one account that published the 12 Wave 2 packages. First email identity tied to the oob-moika-tech campaign (Wave 1 accounts mr.4nd3r50n and pik-libs had no public email). 1
file_path ._t-in-one_init.js Second-stage dropper written to the OS temp directory (os.tmpdir()) by the Wave 2 postinstall hook, then spawned detached. Follows the same ._<scope>_init.js naming pattern as Wave 1's ._cloudplatform-single-spa_init.js. 1
file_path ~/.cache/._t-in-one_init/ Run-once de-duplication marker directory created by the Wave 2 payload so a host is beaconed only once. New in Wave 2. 0
domain npm.t-in-one.io Fabricated internal npm registry domain in the @t-in-one README and .npmrc lure (registry=https://npm.t-in-one.io). Social engineering artifact; not confirmed functional infrastructure. 1
domain docs.t-in-one.io Fabricated docs domain in @t-in-one README. Social engineering artifact; not confirmed functional. 0
domain jira.t-in-one.io Fabricated Jira domain in @t-in-one README. Social engineering artifact; not confirmed functional. 0
sha256 23ccdefb9b917373a4b723d8d482eb6b8880e7e45b0d21cfa5d21d5c27da4918 SHA256 of the @t-in-one/[email protected] npm tarball (registry.npmjs.org). Sample Wave 2 artifact. 0
domain copilot-ai.whisdev.org Secondary hostname on C2 IP 195.201.194.107. Linked to bink/ptc-bink/whisdev persona cluster (JFrog attribution). 1
domain sha256-validate-rpc.vercel.app Contagious Trader exfil endpoint used by polymarket-validator (toskypi, Feb 2026) 1
domain changelog.rest Contagious Trader exfil endpoint used by changelog-logger-utilities (toskypi, Mar 2026) 1
domain polblxpnl.space Contagious Trader C2 domain 0
sha256 b2954c945b51dbd6fa88ac72338b7fbf76dec7d9909ceada9d36b21330842c97 MicrosoftSystem64 Linux ELF binary (81 MB Node.js SEA, v1.0.8) 1
email [email protected] npm account toskypi, linked to ~20 DPRK npm accounts per kmsec.uk. Published polymarket-validator, changelog-logger-utilities. Famous Chollima. 1
url https://huggingface.co/jpeek998/system-releases/resolve/main Binary update URL for MicrosoftSystem64 self-update (24h interval) 1
url https://huggingface.co/Lordplay/system-releases Original binary hosting repo on HuggingFace (disabled by HF, account Lordplay created 2025-11-24). Shared by jpeek868/886/895 cluster. 1
url https://huggingface.co/jpeek998/linux_doc_75a5ffec36ca Third victim dataset: 48 screenshot files, started 2026-05-28T06:10:24Z. Active compromise evidence. 1
file_path ~/.local/share/MicrosoftSystem64 Linux install directory for MicrosoftSystem64 binary and state files 1
file_path ~/.pcl-state/uploads.json Screenshot upload state tracker for HuggingFace exfiltration 1
domain oob.moika.tech Shared C2 host across all three waves. Hosts /report exfiltration endpoint and /payload/{platform} second-stage scripts. Wave 3 platform strings: linux-x64, darwin-arm64, win. 1
url https://oob.moika.tech/report Exfiltration endpoint. Receives HTTP POST with process.env, hostname, username, platform, arch, cwd, Node.js version, and X-Secret authentication header. 1
url https://oob.moika.tech/payload/mac.js Second-stage payload for macOS, fetched by postinstall hook on darwin systems. 1
url https://oob.moika.tech/payload/win.js Second-stage payload for Windows, fetched by postinstall hook on win32 systems. 1
url https://oob.moika.tech/payload/linux.js Second-stage payload for Linux, fetched by postinstall hook on linux systems. 1
file_path ._cloudplatform-single-spa_init.js Temp file written by the postinstall hook when downloading the second-stage payload. Written to the OS temp directory (os.tmpdir()). Name is consistent across all packages regardless of scope. 1
domain telemetry.car-loans.io Fabricated telemetry domain appearing only in @car-loans scope README text. Social engineering artifact — not confirmed functional C2. Declared opt-out: CAR_LOANS_NO_TELEMETRY=1. Actual exfiltration target is oob.moika.tech. 1
domain telemetry.cloudplatform-single-spa.io Fabricated telemetry domain appearing only in @cloudplatform-single-spa scope README text. Social engineering artifact — not confirmed functional C2. Declared opt-out: CLOUDPLATFORM_SINGLE_SPA_NO_TELEMETRY=1. Actual exfiltration target is oob.moika.tech. 1
domain npm.car-loans.io Fabricated private npm registry domain in @car-loans README and .npmrc comment (registry=https://npm.car-loans.io). Social engineering artifact confirming target org uses a private npm registry — the precondition for dependency confusion. Not confirmed functional infrastructure. 1
domain npm.cloudplatform-single-spa.io Fabricated private npm registry domain in @cloudplatform-single-spa README. Social engineering artifact confirming target org uses a private npm registry. Not confirmed functional infrastructure. 1
domain 21baseballacademy.com Ad script delivery domain used by terminal3airport packages. Hosts external JS payload at cdn.21baseballacademy.com. 0
domain abdct.com Popunder redirect destination triggered by adware in terminal3airport packages. 0
domain woofbeginner.com Additional ad/monetization script host used by terminal3airport packages. 0
url https://cdn.21baseballacademy.com/script/jrqK2HPsliMjRW5Q.js External ad script injected into proxy pages by terminal3airport packages. 0
url https://woofbeginner.com/0a/91/35/0a913561831bdf2c26dcf18b852b5cc1.js Additional monetization script loaded by terminal3airport adware. 0
email [email protected] npm maintainer email for terminal3airport account. Published all 141 malicious packages. 0
github_repo lucideproxy/svg GitHub repository referenced in package source code. Associated with Lucide Proxy project. 0
sha256 0d27f455ae056aa908c276d9b17a73d469227257838ec9bcbcb3f1c66169b5a4 SHA-256 of obfuscated JS file a3g0q43tbe.js found in wave 2-3 packages. 0
url ws://204.10.194.247:9877 WebSocket C2 relay endpoint for forge-jsx RAT campaign 1
url http://204.10.194.247:8765 HTTP API endpoint for forge-jsx RAT campaign 1
email [email protected] npm account email for jacksonkaandorp2, publisher of forge-jsxy (Wave 2) 1
email [email protected] npm account email for rafael_silva, publisher of forge-jsx4 (Wave 3) 1
domain taohunter.ai Domain associated with johntaohunter npm account (Wave 1) 1
sha256 4938d47fe6216f8f9fee0527bf5112c04c15a9ea62f87869677619aa5400f09f SHA-256 of forge-jsxy v1.0.91 (latest Wave 2 version) 1
sha256 8070daba5d6ca61c357574526d1e0f468ae575a4edf74cc90a8d8b8c78e3aeef SHA-256 of forge-jsxy v1.0.66 (first Wave 2 version) 1
sha256 6321dacc21675f81c4cee7db8434ca4cf0e228d3b592bde26a0a40f223dbb00e SHA-256 of forge-jsx4 v1.0.123 tarball (Wave 3) 1
file_path ~/.config/systemd/user/forge-js-worker.service Linux systemd persistence for forge-jsx RAT 1
file_path ~/.config/autostart/forge-js-worker.desktop Linux XDG autostart persistence for forge-jsx RAT 1
file_path ~/Library/LaunchAgents/com.forgejs.worker.plist macOS LaunchAgent persistence for forge-jsx RAT 1
ipv4 212.193.3.61 New C2 IP introduced in Wave 3 parallel packages (pino-zod, zod-pino). AS unknown. WebSocket relay port 9877, HTTP API port 8765. Rotated from 204.10.194.247. 1
url ws://212.193.3.61:9877 WebSocket C2 relay endpoint for forge-jsx RAT Wave 3 parallel packages (pino-zod, zod-pino) 1
url http://212.193.3.61:8765 HTTP API endpoint for forge-jsx RAT Wave 3 parallel packages (pino-zod, zod-pino) 1
sha256 0eb72e0794c7e51ca1d790c443b5f573e1288bad6e6c56d1bd9c4b69a71d65d0 SHA-256 of pino-zod v1.0.122 tarball (Wave 3 parallel) 1
sha256 1f7616b3c38f85860abd9ae989d72915e9c13f0d106804471a811a38d63e5293 SHA-256 of zod-pino v1.0.125 tarball (Wave 3 parallel, latest known version) 1
domain polymarketbot.polymarketdev.workers.dev Network indicator from blog post 1
sha256 e01b85c1437085a519217338fe4ee5ed7858c28a10f8c1477b2f1857c3386edb SHA-256 hash from blog post 1
email [email protected] Email indicator from blog post 1
domain utaq.cfww.shop Former Coruna exploit kit host (Phase 2). 180.178.50.158 AS45753 Netsec Limited HK. Hosted 14 exploit modules (606KB) at /gooll/. DEAD as of 2026-07-03. 1
domain git.youzzjizz.com Former payload host (Phase 1, version 4.13.3). String.fromCharCode decoded URL. DEAD as of 2026-07-03. 1
ipv4 180.178.50.158 IP for utaq.cfww.shop (former Coruna exploit kit host, Phase 2). AS45753 Netsec Limited, Hong Kong. DEAD. 1
ipv4 172.67.141.14 Cloudflare IP for l1ewsu3yjkqeroy.xyz (former C2 sync, Phase 2). DEAD. 1
ipv4 104.21.40.254 Cloudflare IP for l1ewsu3yjkqeroy.xyz (former C2 sync, Phase 2). DEAD. 1
sha256 273206e2973df6ba7474aa66693797c98dcf26b794da4c3e863ab8d8c694868d [email protected] npm tarball (Phase 1) 1
sha256 5b5fe5d92808a732d0d44246cd706295cc739ed7f4dcae19112df666bc5d4f7d [email protected] npm tarball (Phase 2, unpublished from npm) 1
sha256 101afde88ff8b5c02fd341eda55022a39203088c2ff11dcb73214911cf5afb77 [email protected] npm tarball (Phase 2, unpublished from npm) 1
sha256 d8e3973a0b3c5359d1f53a22491b56bdd31dee13a51c01c7126bc6694584512f Original Coruna exploit kit payload served from v3.jiathis.com/code/jia.js (Phase 2, no longer served) 1
sha256 f31bdd069fe7966ae11be1f78ee5dd44445938856dd1df12379e0e84a6851f5c 49554fde7424c31c.js stage-4 Coruna malware loader (50KB, Phase 2) 1
sha1 57620206d62079baad0e57e6d9ec93120c0f5247 SHA-1/commit-like hash from blog post 1
sha1 14669ca3b1519ba2a8f40be287f646d4d7593eb0 SHA-1/commit-like hash from blog post 1
md5 7d86eb847ecfd3c972fa457a6abaa0da MD5 hash from blog post 0
email [email protected] Persistent maintainer account (daughtrymom). Controls art-template, express-art-template, art-template-loader, koa-art-template across all phases. 1
email [email protected] Phase 2 publisher account (npmpacketmaintainmember7). Published 4.13.5 and 4.13.6. Removed from maintainers after Phase 3. 1
email [email protected] Original legitimate author (aui/tangbin). No longer a maintainer. Transferred ownership after acquisition fraud by KILLER WHAL AI SDN BHD. 1
email [email protected] Phase 1 publisher account (v4v5qc). Published 4.13.3 and 4.13.4. No longer a maintainer. 1
domain check.git-service.com Network indicator from blog post 1
domain www.youtube.com Network indicator from blog post 1
ipv4 160.119.64.3 IP address indicator from blog post 1
ipv4 185.95.159.32 IP address indicator from blog post 1
sha256 3de04fe2a76262743ed089efa7115f4508619838e77d60b9a1aab8b20d2cc8bf SHA-256 hash from blog post 1
sha256 85f54c089d78ebfb101454ec934c767065a342a43c9ee1beac8430cdd3b2086f SHA-256 hash from blog post 1
sha256 c0b094e46842260936d4b97ce63e4539b99a3eae48b736798c700217c52569dc SHA-256 hash from blog post 1
sha256 069ac1dc7f7649b76bc72a11ac700f373804bfd81dab7e561157b703999f44ce SHA-256 hash from blog post 1
domain t.m-kosche.com Network indicator from blog post 1
ipv4 169.254.170.2 AWS ECS task metadata endpoint queried for credentials 2
sha256 a68dd1e6a6e35ec3771e1f94fe796f55dfe65a2b94560516ff4ac189390dfa1c SHA-256 hash from blog post 1
sha1 1916faa365f2788b6e193514872d51a242876569 SHA-1/commit-like hash from blog post 1
sha1 7cb42f57561c321ecb09b4552802ae0ac55b3a7a SHA-1/commit-like hash from blog post 1
sha1 dc3d62a2181beb9f326952a2d212900c94f2e13d SHA-1/commit-like hash from blog post 1
email [email protected] Email indicator from blog post 1
email [email protected] Email indicator from blog post 1
ipv4 1.1.1.1 IP address indicator from blog post 1
ipv4 8.8.8.8 IP address indicator from blog post 1
sha256 449e4265979b5fdb2d3446c021af437e815debd66de7da2fe54f1ad93cbcc75e SHA-256 hash from blog post 1
sha256 c2f4dc64aec4631540a568e88932b61daebbfb7e8281b812fa01b7215f9be9ea SHA-256 hash from blog post 1
sha256 78a82d93b4f580835f5823b85a3d9ee1f03a15ee6f0e01b4eac86252a7002981 SHA-256 hash from blog post 1
sha256 3427a90c8cb9af764445448648176e120ebc6af0a538158340cf6220de4d01b7 SHA-256 hash from blog post 1
sha256 fdba4191831a13debf9d8c0c940b0301c7b7f01d27f1b1c73ed3ceaa2db4103b SHA-256 hash from blog post 1
email [email protected] Email indicator from blog post 1
ipv4 207.90.194.2 IP address indicator from blog post 1
sha1 8daaa2003784a92f4761ed3c9d5560ef8cf4bffa SHA-1/commit-like hash from blog post 1
md5 b604b21749a396111bb111d46d97b1c4 MD5 hash from blog post 1
domain git-tanstack.com Network indicator from blog post 1
domain filev2.getsession.org Network indicator from blog post 1
domain 169.254.169.254 Network indicator from blog post 1
sha256 ce7e4199506959fd7a71b64209b2c07b9c82e53a946aa7d78298dc9249230d01 SHA-256 hash from blog post 1
sha1 79ac49eedf774dd4b0cfa308722bc463cfe5885c SHA-1/commit-like hash from blog post 1
domain 82.221.101.203 Network indicator from blog post 1
ipv4 82.221.101.203 IP address indicator from blog post 1
sha256 263df2348f54f1f4980542a41f69d77b085fb28091a95979ba7f0e9f3d0da861 SHA-256 hash from blog post 1
email [email protected] Email indicator from blog post 2
domain 172.86.73.132 Network indicator from blog post 1
ipv4 172.86.73.132 IP address indicator from blog post 1
sha256 86d17961e9662c53e1fb61701388b7c741bf79c093061df968a3e53c829dcb16 SHA-256 hash from blog post 1
email [email protected] Email indicator from blog post 1
email [email protected] Email indicator from blog post 1
domain paidgirl.site Operator-controlled origin allow-listed in common-tg-service auth guard 0
domain cms.paidgirl.site ams-ssk deployment serving folders/:folder/files/download-all consumed by common-tg-service 1
domain helper-thge.onrender.com Attribution-laundering HTTP relay; used by common-tg-service on 403/495 responses 1
domain promoteclients2.glitch.me Operator host leaked in ams-ssk Swagger DTO; sequential staging (promoteClients2) 0
domain zomcall.netlify.app Allowed origin in common-tg-service auth guard 0
domain report-upi.netlify.app Allowed origin; names the UPI/India targeting 0
email [email protected] Hardcoded 2FA recovery email implanted on every hijacked Telegram account 1
email [email protected] Operator npoint.io account credentials committed in npoint.service.js 0
email [email protected] npm publisher email for shetty123 (publisher of both packages) 0
ipv4 31.97.59.2 Operator IP allow-listed in common-tg-service auth guard 0
ipv4 148.230.84.50 Operator IP allow-listed in common-tg-service auth guard 0
ipv4 13.228.225.19 Operator IP allow-listed in common-tg-service auth guard 0
ipv4 18.142.128.26 Operator IP allow-listed in common-tg-service auth guard 0
ipv4 54.254.162.138 Operator IP allow-listed in common-tg-service auth guard 0
sha1 5061bc9611e31a48a8085cfab4cb875a6cc633ec common-tg-service-1.3.207.tgz npm tarball 0
sha1 80da04770a779330803bdd00d00a354adc12859a ams-ssk-1.0.33.tgz npm tarball 0
domain 152.67.0.53 Network indicator from blog post 1
ipv4 152.67.0.53 IP address indicator from blog post 1
sha256 e2fda5aa8397799669f29258f69e803cf05d322c1d93269eef6754ca024c3865 SHA-256 hash from blog post 1
sha256 3071422c3294e7b61cb490c57c48c8dea569bacf12e57a078293b6547d7586d3 SHA-256 hash from blog post 1
sha256 56070a9d8de0c0ffb1ec5c309953cf4679432df5a78df9aeb020fbb73d2be9fb SHA-256 hash from blog post 1
sha256 5f5852b5f604369945118937b058e49064612ac69826e0adadca39a357dfb5b1 SHA-256 hash from blog post 1
sha256 d2815d425ae08cc627f1db69009442165f8bbc64b7e9157e2ff9d7aab02094d4 SHA-256 hash from blog post 1
sha256 8046a11187c135da6959862ff3846e99ad15462d2ec8a2f77a30ad53ebd5dcf2 SHA-256 hash from blog post 1
sha256 2d4e21d2e78d0868ce7894487e67c67f929d8d81d78c5b07a3ad225b13eae890 SHA-256 hash from blog post 1
sha1 0a3dd44d361c34cd9036eeb3f49601160a636648 SHA-1/commit-like hash from blog post 1
email [email protected] Email indicator from blog post 1
email [email protected] Email indicator from blog post 1
email [email protected] Spoofed git commit author identity used to plant the binary dropper and blend with AI-assistant automation. Also seen across the Shai-Hulud / Mini Shai-Hulud worm family. 3
domain franki.requestcatcher.com Network indicator from blog post 1
ipv4 169.254.169.254 AWS IMDS endpoint queried for cloud credentials 3
email [email protected] Email indicator from blog post 1
ipv4 18.208.244.120 IP address indicator from blog post 1
md5 0123456789abcdef0123456789abcdef MD5 hash from blog post 1
domain audit.checkmarx.cx Network indicator from blog post 1
ipv4 94.154.172.43 IP address indicator from blog post 1
sha256 18f784b3bc9a0bcdcb1a8d7f51bc5f54323fc40cbd874119354ab609bef6e4cb SHA-256 hash from blog post 1
sha256 8605e365edf11160aad517c7d79a3b26b62290e5072ef97b102a01ddbb343f14 SHA-256 hash from blog post 1
sha1 de0fac2e4500dabe0009e67214ff5f5447ce83dd SHA-1/commit-like hash from blog post 2
sha1 bbbca2ddaa5d8feaa63e36b76fdaad77386f024f SHA-1/commit-like hash from blog post 2
ipv4 0.0.0.0 IP address indicator from blog post 1
email [email protected] Email indicator from blog post 1
domain 204.10.194.247 Network indicator from blog post 1
ipv4 204.10.194.247 C2 server (AS206216 Advin Services LLC, Nurnberg DE). WebSocket relay on port 9877, HTTP API on port 8765. Shared across all forge-jsx/forge-jsxy/forge-jsx4 waves. 1
sha256 4cb96c3b033c1aaf7b3d0fe54749058f14d4d914947a6d6d430aca108a7daa5a SHA-256 of forge-jsx (Wave 1) 1
email [email protected] npm account email for johntaohunter, publisher of @johntaohunter/forge-jsx 1
email [email protected] npm account email for johnceballos0716, publisher of forge-jsx (Wave 1) 1
domain api-sub.jrodacooker.dev Earlier C2 domain for js-logger-pack, DNS since removed 1
domain huggingface.co Network indicator from blog post 1
ipv4 195.201.194.107 WebSocket + HTTP C2 server on port 8010. Hetzner, DE, AS24940. Secondary hostname: copilot-ai.whisdev.org. 1
sha256 a49eee6b6db9da14db46587b68bf1d8a80976812f629bf3e100ac6ba83cf8490 SHA-256 hash from blog post 1
sha256 6ce3b22b07fd5aef1dd77237334d80718601e4e02a706485572d3dda8993a4e3 SHA-256 hash from blog post 1
sha256 571533a643e67c38087f4da8cce0d3dc14670a52403717e4943433d392860a7f SHA-256 hash from blog post 1
sha256 585c5ab1fea06bed4956e34ffd6d6b576122addd34d252b163ae0801098e9eaf SHA-256 hash from blog post 1
sha256 9f0a7174f9537bdbf63fe2329cea9a14198076180390af9f43a0e5b5c7c46912 SHA-256 hash from blog post 1
sha256 e35801137cd09fa02aa996145d18ec68d67d71db9810f2608a6285ee1c08b054 SHA-256 hash from blog post 1
sha256 df45bbac7695f0edad3edde36904f2722f2af761887744a2f1d65df705d28dc6 SHA-256 hash from blog post 1
sha256 43c93c609d48b6cb4f1275c285b5e6960ef74e7f5811b442e3c1038d49128d73 SHA-256 hash from blog post 1
sha256 dbbc31c641c2f1b9a867e745c30dda27dff2db7d91f9faddcf08a504ca2a9d11 SHA-256 hash from blog post 0
sha1 b0a0c8779961bcce1851d35125a7b48fc6ec7d5c SHA-1/commit-like hash from blog post 0
email [email protected] npm publisher account jpeek868, author of js-logger-pack. Part of jpeek account rotation cluster (jpeek868/886/895). DPRK Famous Chollima. 1
domain xienztiavkygvacpqzgr.supabase.co Network indicator from blog post 1
domain ndfcioahsbgsjmulpjgt.supabase.co Network indicator from blog post 1
sha256 4600db4fc30fb6ffa68deed4a25679e674bb3a3e8dae31f3dfc83bea0d757a8f SHA-256 hash from blog post 1
sha256 2e131f47090516e5a60553aa40d46823e08162390c1d6deb075cf317f00309f7 SHA-256 hash from blog post 1
email [email protected] Email indicator from blog post 1
domain 64.227.183.144 Network indicator from blog post 1
ipv4 64.227.183.144 IP address indicator from blog post 1
email [email protected] Email indicator from blog post 1
domain cloudflareinsights.vercel.app Network indicator from blog post 1
domain cloudflarefirewall.vercel.app Network indicator from blog post 1
sha256 55bee3abfa26a78989baae1053a778d3b4a984d5451621a851211a45fe2a82b9 SHA-256 hash from blog post 1
sha256 02a00a158ceedaaf7a4bf53002a74d60339d4668d463831fe218905816b72e07 SHA-256 hash from blog post 1
sha256 9d2037fc0ad9ada672d30e17a9496cbde392c5093a9fde0b8f16d28e2e0c50c7 SHA-256 hash from blog post 1
sha256 7bff4518f4d49ddf3d04d8167a6f5f17aed9b3703290f65cf71c61ea61f0a7bc SHA-256 hash from blog post 1
sha256 aa36d4bee44ee1d35af0e211e8cca957044c782b177787b1181d18d6d6323037 SHA-256 hash from blog post 1
sha256 f4914c528cf92a7e97ac3b24138afb86b4cd9db6960d92ffbbff36a1fb90ead9 SHA-256 hash from blog post 1
sha256 fc095d3e6a613e27d267d80b448101ef78b02ec07dd3993c734202839015fb54 SHA-256 hash from blog post 1
sha256 86f60a2196c3d1355efdcfee41f1549c30c6081bf6c106d11e44a64691f8ebd3 SHA-256 hash from blog post 1
email [email protected] Email indicator from blog post 1
email [email protected] Email indicator from blog post 1
email [email protected] Email indicator from blog post 0
domain telemetry.api-monitor.com Network indicator from blog post 1
ipv4 143.198.237.25 IP address indicator from blog post 1
ipv4 23.236.116.77 IP address indicator from blog post 1
ipv4 209.34.235.18 IP address indicator from blog post 1
sha256 4dbecce9ab3cf1739a9b90f9a9f304a3a44f69332320ae0753c129cf078e6f34 SHA-256 hash from blog post 1
sha256 513eed96cabdea495a7141666eb77216dee6f0754ef643917346a47a2ff61476 SHA-256 hash from blog post 1
sha256 834b6e5db5710b9308d0598978a0148a9dc832361f1fa0b7ad4343dcceba2812 SHA-256 hash from blog post 1
domain 89.36.224.5 Network indicator from blog post 1
domain datahub.ink Network indicator from blog post 1
domain cloud-sync.online Network indicator from blog post 1
domain byte-io.us Network indicator from blog post 1
domain api.ipify.org Network indicator from blog post 1
domain ipinfo.io Legitimate service abused by Epsilon Stealer for victim geolocation (GET /json). Also used for sandbox IP blacklist check. 1
ipv4 89.36.224.5 IP address indicator from blog post 1
ipv4 208.115.220.17 IP address indicator from blog post 1
sha256 0a8ab3d16b12d3a453ee5a3208fe04744ad54514ef8ea27bb8fe32679efad270 SHA-256 hash from blog post 1
sha256 0b028b781950641818800fee2b4bf68e4ef2bcee53fe71a21755275ba108783d SHA-256 hash from blog post 1
sha1 dfd224461edb06c556ee0d5677bd78ddda80b910 SHA-1/commit-like hash from blog post 1
domain prod.universitecentrale.net Network indicator from blog post 1
domain urlvoelpilswwxkiosey.supabase.co Network indicator from blog post 1
domain chat.universitecentrale.net Network indicator from blog post 1
ipv4 146.0.0.0 IP address indicator from blog post 1
sha1 333e5b7c412736685b3c296a58663a7763744949 SHA-1/commit-like hash from blog post 1
sha1 4c385d4376314b24793b6b4e3526783f72383667 SHA-1/commit-like hash from blog post 1
sha1 2a6e3839766d215e40785f6b277dc2a34d4e2f71 SHA-1/commit-like hash from blog post 1
sha1 442158353951337678587c236567276e767a3d39 SHA-1/commit-like hash from blog post 1
sha1 3f3922326c646a2d2f78703073224a3e4a366761 SHA-1/commit-like hash from blog post 1
sha1 3c335f732e6f5c3b48665745325c572b25724a60 SHA-1/commit-like hash from blog post 1
sha1 2968623b3a4c275d544149674522663559617b74 SHA-1/commit-like hash from blog post 1
sha1 5551307d753c3c5a59333c25525f2f446d2a213e SHA-1/commit-like hash from blog post 0
sha1 3d69675671616a6426515e7cc2a32e4ac2a32c33 SHA-1/commit-like hash from blog post 0
sha1 c2a32a743329604e5633767d4e7e567a48246476 SHA-1/commit-like hash from blog post 0
domain admondtamang.com.np Network indicator from blog post 1
domain gist.github.com Network indicator from blog post 1
domain gist.githubusercontent.com Network indicator from blog post 1
sha256 40aa5d412a50db79a814ac5ad65237745727cb4777843d66a760f64285a5a3e6 SHA-256 hash from blog post 1
sha1 1c5d51c2002f452a4dd58a1a73a9dd90a7fe0297 SHA-1/commit-like hash from blog post 1
md5 814132e794e5d007e9b8ebd223a9494f MD5 hash from blog post 1
md5 0c0fc7a0c23cdb5e1c8f66b208053ed6 MD5 hash from blog post 1
email [email protected] Email indicator from blog post 1
ipv4 144.31.107.231 IP address indicator from blog post 1
email [email protected] Email indicator from blog post 1
domain jsonkeeper.com Network indicator from blog post 1
domain 216.126.237.71 Network indicator from blog post 1
ipv4 216.126.237.71 IP address indicator from blog post 2
ipv4 216.126.229.166 IP address indicator from blog post 1
ipv4 216.126.227.239 IP address indicator from blog post 1
sha256 b5cca27ca1d792bd8c46b83fccfa4e5ba38916eb78877a19cbb39392ce98cc39 SHA-256 hash from blog post 1
md5 a36adbc35e69b22acbf9f834a0deb286 MD5 hash from blog post 1
email [email protected] Email indicator from blog post 1
domain sfrclak.com Network indicator from blog post 1
ipv4 142.11.206.73 IP address indicator from blog post 1
sha256 5bb67e88846096f1f8d42a0f0350c9c46260591567612ff9af46f98d1b7571cd SHA-256 hash from blog post 1
sha256 59336a964f110c25c112bcc5adca7090296b54ab33fa95c0744b94f8a0d80c0f SHA-256 hash from blog post 1
sha256 fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf SHA-256 hash from blog post 1
sha256 e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09 SHA-256 hash from blog post 1
email [email protected] Email indicator from blog post 1
email [email protected] Email indicator from blog post 1
email [email protected] Email indicator from blog post 1
email [email protected] Email indicator from blog post 1
domain 83.142.209.203 Network indicator from blog post 1
ipv4 83.142.209.203 IP address indicator from blog post 1
sha256 7321caa303fe96ded0492c747d2f353c4f7d17185656fe292ab0a59e2bd0b8d9 SHA-256 hash from blog post 1
sha256 cd08115806662469bbedec4b03f8427b97c8a4b3bc1442dc18b72b4e19395fe3 SHA-256 hash from blog post 1
email [email protected] Email indicator from blog post 1
domain models.litellm.cloud Network indicator from blog post 1
domain checkmarx.zone Network indicator from blog post 1
sha256 d2a0d5f564628773b6af7b9c11f6b86531a875bd2d186d7081ab62748a800ebb SHA-256 hash from blog post 1
sha1 9343aeefca37aa49a6ea54397d7615adae5c72c9 SHA-1/commit-like hash from blog post 1
domain malicanbur.pro Network indicator from blog post 1
ipv4 31.220.48.155 IP address indicator from blog post 1
ipv4 173.211.46.22 IP address indicator from blog post 1
sha256 0be2375362227f846c56c4de2db4d3113e197f0c605c297a7e0e0c154e94464e SHA-256 hash from blog post 1
sha256 5196c3a832897e30c26da768379750bd3c886890e74d0f28a8921bbd19b553fc SHA-256 hash from blog post 1
email [email protected] Email indicator from blog post 1
domain discord.com Network indicator from blog post 2
sha256 3733f0add545e5537a7d3171a132df51e0b4105aebe85db35dbe868a056d3d24 SHA-256 hash from blog post 1
sha256 62ee164b9b306250c1172583f138c9614139264f889fa99614903c12755468d0 SHA-256 hash from blog post 1
sha256 a3894003ad1d293ba96d77881ccd2071446dc3f65f434669b49b3da92421901a SHA-256 hash from blog post 1
email [email protected] Email indicator from blog post 1
domain webhook.site Network indicator from blog post 2
sha256 bc18414929992e8e8d2211f9c51ebc7241294a1af3cfdbdd5ca417974b2dac0b SHA-256 hash from blog post 1
sha256 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09 SHA-256 hash from blog post 1
email [email protected] Email indicator from blog post 1
email [email protected] Email indicator from blog post 1
sha1 fc4a4858bafef54d1b1d7697bfb5c52f4c166976 SHA-1/commit-like hash from blog post 1
md5 19111111111111111111111111111111 MD5 hash from blog post 1
wallet 0x66a9893cC07D91D95644AEDD05D03f95e1dBA8Af Cryptocurrency wallet address from blog post 1
wallet 0x10ed43c718714eb63d5aa57b78b54704e256024e Cryptocurrency wallet address from blog post 1
wallet 0x13f4ea83d0bd40e75c8222255bc855a974568dd4 Cryptocurrency wallet address from blog post 1
wallet 0x1111111254eeb25477b68fb85ed929f73a960582 Cryptocurrency wallet address from blog post 1
wallet 0xd9e1ce17f2641f24ae83637ab66a2cca9c378b9f Cryptocurrency wallet address from blog post 1
wallet 0xfc4a4858bafef54d1b1d7697bfb5c52f4c166976 Cryptocurrency wallet address from blog post 1
wallet 0x66a9893cc07d91d95644aedd05d03f95e1dba8af Cryptocurrency wallet address from blog post 1
wallet 0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976 Cryptocurrency wallet address from blog post 1
wallet 0xa29eeFb3f21Dc8FA8bce065Db4f4354AA683c024 Cryptocurrency wallet address from blog post 1
wallet 0x40C351B989113646bc4e9Dfe66AE66D24fE6Da7B Cryptocurrency wallet address from blog post 1
wallet 0x30F895a2C66030795131FB66CBaD6a1f91461731 Cryptocurrency wallet address from blog post 0
wallet 0x57394449fE8Ee266Ead880D5588E43501cb84cC7 Cryptocurrency wallet address from blog post 0
wallet 0xCd422cCC9f6e8f30FfD6F68C0710D3a7F24a026A Cryptocurrency wallet address from blog post 0
wallet 0x7C502F253124A88Bbb6a0Ad79D9BeD279d86E8f4 Cryptocurrency wallet address from blog post 0
wallet 0xe86749d6728d8b02c1eaF12383c686A8544de26A Cryptocurrency wallet address from blog post 0
wallet 0xa4134741a64F882c751110D3E207C51d38f6c756 Cryptocurrency wallet address from blog post 0
wallet 0xD4A340CeBe238F148034Bbc14478af59b1323d67 Cryptocurrency wallet address from blog post 0
wallet 0xB00A433e1A5Fc40D825676e713E5E351416e6C26 Cryptocurrency wallet address from blog post 0
wallet 0xd9Df4e4659B1321259182191B683acc86c577b0f Cryptocurrency wallet address from blog post 0
wallet 0x0a765FA154202E2105D7e37946caBB7C2475c76a Cryptocurrency wallet address from blog post 0
wallet 0xE291a6A58259f660E8965C2f0938097030Bf1767 Cryptocurrency wallet address from blog post 0
wallet 0xe46e68f7856B26af1F9Ba941Bc9cd06F295eb06D Cryptocurrency wallet address from blog post 0
wallet 0xa7eec0c4911ff75AEd179c81258a348c40a36e53 Cryptocurrency wallet address from blog post 0
wallet 0x3c6762469ea04c9586907F155A35f648572A0C3E Cryptocurrency wallet address from blog post 0
wallet 0x322FE72E1Eb64F6d16E6FCd3d45a376efD4bC6b2 Cryptocurrency wallet address from blog post 0
wallet 0x51Bb31a441531d34210a4B35114D8EF3E57aB727 Cryptocurrency wallet address from blog post 0
wallet 0x314d5070DB6940C8dedf1da4c03501a3AcEE21E1 Cryptocurrency wallet address from blog post 0
wallet 0x75023D76D6cBf88ACeAA83447C466A9bBB0c5966 Cryptocurrency wallet address from blog post 0
wallet 0x1914F36c62b381856D1F9Dc524f1B167e0798e5E Cryptocurrency wallet address from blog post 0
wallet 0xB9e9cfd931647192036197881A9082cD2D83589C Cryptocurrency wallet address from blog post 0
wallet 0xE88ae1ae3947B6646e2c0b181da75CE3601287A4 Cryptocurrency wallet address from blog post 0
wallet 0x0D83F2770B5bDC0ccd9F09728B3eBF195cf890e2 Cryptocurrency wallet address from blog post 0
wallet 0xe2D5C35bf44881E37d7183DA2143Ee5A84Cd4c68 Cryptocurrency wallet address from blog post 0
wallet 0xd21E6Dd2Ef006FFAe9Be8d8b0cdf7a667B30806d Cryptocurrency wallet address from blog post 0
wallet 0x93Ff376B931B92aF91241aAf257d708B62D62F4C Cryptocurrency wallet address from blog post 0
wallet 0x5C068df7139aD2Dedb840ceC95C384F25b443275 Cryptocurrency wallet address from blog post 0
wallet 0x70D24a9989D17a537C36f2FB6d8198CC26c1c277 Cryptocurrency wallet address from blog post 0
wallet 0x0ae487200606DEfdbCEF1A50C003604a36C68E64 Cryptocurrency wallet address from blog post 0
wallet 0xc5588A6DEC3889AAD85b9673621a71fFcf7E6B56 Cryptocurrency wallet address from blog post 0
wallet 0x3c23bA2Db94E6aE11DBf9cD2DA5297A09d7EC673 Cryptocurrency wallet address from blog post 0
wallet 0x5B5cA7d3089D3B3C6393C0B79cDF371Ec93a3fd3 Cryptocurrency wallet address from blog post 0
wallet 0x4Cb4c0E7057829c378Eb7A9b174B004873b9D769 Cryptocurrency wallet address from blog post 0
wallet 0xd299f05D1504D0B98B1D6D3c282412FD4Df96109 Cryptocurrency wallet address from blog post 0
wallet 0x241689F750fCE4A974C953adBECe0673Dc4956E0 Cryptocurrency wallet address from blog post 0
wallet 0xBc5f75053Ae3a8F2B9CF9495845038554dDFb261 Cryptocurrency wallet address from blog post 0
wallet 0x5651dbb7838146fCF5135A65005946625A2685c8 Cryptocurrency wallet address from blog post 0
wallet 0x5c9D146b48f664f2bB4796f2Bb0279a6438C38b1 Cryptocurrency wallet address from blog post 0
wallet 0xd2Bf42514d35952Abf2082aAA0ddBBEf65a00BA3 Cryptocurrency wallet address from blog post 0
wallet 0xbB1EC85a7d0aa6Cd5ad7E7832F0b4c8659c44cc9 Cryptocurrency wallet address from blog post 0
wallet 0x013285c02ab81246F1D68699613447CE4B2B4ACC Cryptocurrency wallet address from blog post 0
wallet 0x97A00E100BA7bA0a006B2A9A40f6A0d80869Ac9e Cryptocurrency wallet address from blog post 0
wallet 0x4Bf0C0630A562eE973CE964a7d215D98ea115693 Cryptocurrency wallet address from blog post 0
wallet 0x805aa8adb8440aEA21fDc8f2348f8Db99ea86Efb Cryptocurrency wallet address from blog post 0
wallet 0xae9935793835D5fCF8660e0D45bA35648e3CD463 Cryptocurrency wallet address from blog post 0
wallet 0xB051C0b7dCc22ab6289Adf7a2DcEaA7c35eB3027 Cryptocurrency wallet address from blog post 0
wallet 0xf7a82C48Edf9db4FBe6f10953d4D889A5bA6780D Cryptocurrency wallet address from blog post 0
wallet 0x06de68F310a86B10746a4e35cD50a7B7C8663b8d Cryptocurrency wallet address from blog post 0
wallet 0x51f3C0fCacF7d042605ABBE0ad61D6fabC4E1F54 Cryptocurrency wallet address from blog post 0
wallet 0x49BCc441AEA6Cd7bC5989685C917DC9fb58289Cf Cryptocurrency wallet address from blog post 0
wallet 0x7fD999f778c1867eDa9A4026fE7D4BbB33A45272 Cryptocurrency wallet address from blog post 0
wallet 0xe8749d2347472AD1547E1c6436F267F0EdD725Cb Cryptocurrency wallet address from blog post 0
wallet 0x2B471975ac4E4e29D110e43EBf9fBBc4aEBc8221 Cryptocurrency wallet address from blog post 0
wallet 0x02004fE6c250F008981d8Fc8F9C408cEfD679Ec3 Cryptocurrency wallet address from blog post 0
wallet 0xC4A51031A7d17bB6D02D52127D2774A942987D39 Cryptocurrency wallet address from blog post 0
wallet 0xa1b94fC12c0153D3fb5d60ED500AcEC430259751 Cryptocurrency wallet address from blog post 0
wallet 0xdedda1A02D79c3ba5fDf28C161382b1A7bA05223 Cryptocurrency wallet address from blog post 0
wallet 0xE55f51991C8D01Fb5a99B508CC39B8a04dcF9D04 Cryptocurrency wallet address from blog post 0
wallet 0x7a250d5630b4cf539739df2c5dacb4c659f2488d Cryptocurrency wallet address from blog post 0
wallet 0xe592427a0aece92de3edee1f18e0157c05861564 Cryptocurrency wallet address from blog post 0
sha256 863d274bbeb22ab969f742a06d89bdf0ababb99fdeb074a0fd9057f28b1ef257 SHA-256 hash from blog post 1
sha1 9066ceeb391d9c7ba6aba650109c2fa3f8e088eb SHA-1/commit-like hash from blog post 1
email [email protected] Email indicator from blog post 1
email [email protected] Email indicator from blog post 1
sha256 31204fbbc097677d518e1c01d88cf24b491ef29cc8f56d1ef2b81e5ccc8440e2 SHA-256 hash from blog post 1
sha256 c68e42f416f482d43653f36cd14384270b54b68d6496a8e34ce887687de5b441 SHA-256 hash from blog post 1
ipv4 206.214.129.67 IP address indicator from blog post 1
ipv4 8.152.163.60 IP address indicator from blog post 1
ipv4 13.60.183.44 IP address indicator from blog post 1
ipv4 13.60.0.0 IP address indicator from blog post 1
ipv4 13.63.255.255 IP address indicator from blog post 1
email [email protected] Email indicator from blog post 1