Indicators of Compromise
Every IOC SafeDep has linked to a malicious package or campaign — domains, IPs, emails, hashes, and crypto wallets.
| value ↕ | context | campaigns ↕ | |
|---|---|---|---|
| domain v3.jiathis.com | Payload server. Hijacked JiaThis social sharing service domain (Beijing, 2009). Re-registered through GoDaddy, routed via Cloudflare. Serves gambling redirect payload on jia.js path with Referer gating. art.js path returns 404 as of 2026-07-03. Shared Cloudflare nameservers (paislee/sean) with mki.mom. | 1 | |
| domain test.airsplu.cn | Gambling redirect destination. Chinese gambling/adult content portal (2026 World Cup Navigation). Huawei CDN (45.197.102.29). Beijing timezone-gated redirect: 7PM-6AM 100%, daytime 30%. | 1 | |
| domain s5gw.mki.mom | Gambling portal backend. CNAME to 500info.win (Azure). Shares Cloudflare nameservers (paislee/sean) with jiathis.com, indicating same Cloudflare account. Baidu Analytics tracker a29b02d841cccc4c4b32f9c5dbebb0b0. | 1 | |
| domain s5dh.club | Gambling portal. 301 redirect to s5gw.mki.mom. Azure IPs (20.239.154.185, 20.2.192.146). Registered 2025-02-19 via GoDaddy. | 1 | |
| domain 500info.win | CNAME load balancer target for s5gw.mki.mom. DNS-only, no A record. | 0 | |
| domain l1ewsu3yjkqeroy.xyz | Former C2 sync endpoint (Phase 2). Cloudflare-fronted. /api/ip-sync/sync POST every 10s with channelCode CHMK6IG08F42496C22. DEAD as of 2026-07-03. | 1 | |
| domain daohang.2023200.com | Former gambling API backend. DEAD as of 2026-07-03. | 0 | |
| ipv4 172.67.184.213 | Cloudflare IP for v3.jiathis.com (Phase 3) | 0 | |
| ipv4 104.21.59.230 | Cloudflare IP for v3.jiathis.com (Phase 3) | 0 | |
| ipv4 45.197.102.29 | Huawei CDN IP for test.airsplu.cn gambling redirect | 0 | |
| ipv4 20.239.154.185 | Microsoft Azure IP for s5dh.club / s5gw.mki.mom gambling portal | 0 | |
| ipv4 20.2.192.146 | Microsoft Azure IP for s5dh.club / s5gw.mki.mom gambling portal | 0 | |
| sha256 e27a0e28da18a7978dd0139bccf48ec5c39454fda6384c95fc0fb004b3b502a2 | [email protected] npm tarball (Phase 3, published 2026-06-27 by npmpacketmaintainmember8) | 1 | |
| sha256 7c59001d7bdd0dfb04b89d2de3d71b18975b20f22b2af880911413fb29cfdff0 | v3.jiathis.com/code/jia.js gambling redirect payload (last-modified 2026-06-30). Baidu Analytics + time-gated redirect to test.airsplu.cn. | 1 | |
| email [email protected] | Phase 3 publisher account (npmpacketmaintainmember8). Published 4.13.7 on 2026-06-27. | 1 | |
| url https://v3.jiathis.com/code/art.js | Injected script URL in [email protected] and 4.13.7 (atob decoded from aHR0cHM6Ly92My5qaWF0aGlzLmNvbS9jb2RlL2FydC5qcw==). Returns 404 as of 2026-07-03. | 1 | |
| url https://v3.jiathis.com/code/jia.js | Injected script URL in [email protected] (with ?uid=artemplate param). Also loaded by legacy JiaThis widget embeddings across thousands of Chinese websites. LIVE, serving gambling redirect payload. | 1 | |
| email [email protected] | npm maintainer email for the marketfront account that published the 25 Wave 4 packages. Anonymous Tutanota (tutamail.com) address. Fifth publisher identity and fourth distinct email tied to the oob-moika-tech campaign (after mr.4nd3r50n/pik-libs, [email protected], [email protected]). | 1 | |
| url /api/v1/events | Wave 4 exfiltration path. Receives a gzip-compressed HTTPS POST carrying harvested credential-file contents, gated by a custom X-Secret header. The full C2 host is RC4+XOR-concealed in the payload and was NOT statically resolved — only the path is known. Detection artifact: outbound POST to /api/v1/events with an X-Secret header and gzip body from a workstation/CI agent during npm install. | 1 | |
| domain npm.marketfront.io | Fabricated internal npm registry lure in the @marketfront package READMEs (registry=https://npm.marketfront.io). Scope-parameterized social-engineering artifact (npm.<scope>.io), NOT confirmed functional infrastructure. Same pattern as npm.car-loans.io / npm.cloudplatform-single-spa.io / npm.t-in-one.io in prior waves. | 1 | |
| domain telemetry.marketfront.io | Fabricated telemetry cover-story endpoint referenced in @marketfront READMEs (telemetry.<scope>.io). Social-engineering artifact to normalize expected outbound network activity at install time; NOT the actual exfil destination (which is the RC4-concealed C2 at path /api/v1/events). | 1 | |
| domain github.marketfront.io | Fabricated GitHub Enterprise subdomain used as the repository.url in @marketfront package metadata (git+https://github.marketfront.io/platform/<pkg>.git). Scope-parameterized social-engineering artifact (github.<scope>.io); not confirmed functional infrastructure. | 1 | |
| sha256 3a24e0fd22dce86e897b09cdb146514a0dcf2430a5d3f307c6b5959155c34b33 | postinstall.js payload SHA256 in @emcd-vue/[email protected] (Wave 3 scope, republished/live as of 2026-07-02). Corroborates the same-operator link across waves. | 1 | |
| sha256 78b06a93c16d990d896ed2c77f48097977ae452f009c0345b5396efdf963a97c | postinstall.js payload SHA256 in @emcd-vue/[email protected] (Wave 3 scope, republished/live as of 2026-07-02). | 1 | |
| sha256 acb6f87e440ccb5efe299313e7adb506586e31a6e7381515a9fb2057965f715e | postinstall.js payload SHA256 in @emcd-vue/[email protected] (Wave 3 scope, republished/live as of 2026-07-02). | 1 | |
| email [email protected] | npm maintainer email for the t.tqm.mfe account that published @tqm-mfe/main. Anonymous Proton Mail address and a NEW actor identifier — distinct from [email protected] (the same-day @marketfront Wave 4 sibling). Sixth publisher identity and fifth distinct email tied to the oob-moika-tech campaign (after mr.4nd3r50n/pik-libs, [email protected], [email protected], [email protected]). | 1 | |
| md5 7c1a3a2eea2fa01246179bcfcd2648b0 | scripts/postinstall.js md5 in @tqm-mfe/[email protected]. ~182 KB obfuscator.io-style single-line payload, RC4/XOR-behind-base64 obfuscation class (same family as @marketfront Wave 4). Differs from the 5.5.0 postinstall.js. | 1 | |
| md5 eba5d3fa62ff3bbcd9d3a75d7f884de2 | scripts/postinstall.js md5 in @tqm-mfe/[email protected] (dist-tag latest, changelog claims 'Added ARM64 support'). Differs from the 5.4.7 postinstall.js md5, indicating a re-obfuscated / updated payload between the two ~2h-apart versions. | 1 | |
| md5 7f01e8546af142347587931cf56cc47a | dist/index.js md5 in @tqm-mfe/main (identical across 5.4.7 and 5.5.0). Non-functional decoy: module.exports = require('../src/index.js'), where ../src/index.js is absent from the tarball — the library cannot load, so only the postinstall hook runs. Same decoy-facade pattern as @marketfront Wave 4. | 1 | |
| domain docs.tqm-mfe.io | Fabricated docs domain in @tqm-mfe/main metadata (homepage https://docs.tqm-mfe.io/platform/main). Scope-parameterized social-engineering artifact (docs.<scope>.io); NOT confirmed functional infrastructure. | 1 | |
| domain jira.tqm-mfe.io | Fabricated Jira domain in @tqm-mfe/main metadata (bugs.url https://jira.tqm-mfe.io/projects/PLATFORM). Scope-parameterized social-engineering artifact (jira.<scope>.io); NOT confirmed functional infrastructure. | 1 | |
| domain npm.tqm-mfe.io | Fabricated internal npm registry lure in the @tqm-mfe/main README (registry=https://npm.tqm-mfe.io). Scope-parameterized social-engineering artifact (npm.<scope>.io) to imply a private registry (the precondition for dependency confusion); NOT confirmed functional infrastructure. | 1 | |
| domain telemetry.tqm-mfe.io | Fabricated telemetry cover-story endpoint referenced in the @tqm-mfe/main README (telemetry.<scope>.io). Social-engineering artifact to normalize expected outbound network activity at install time; NOT the actual exfil destination (which is the RC4-concealed, unresolved C2). | 1 | |
| domain github.tqm-mfe.io | Fabricated GitHub host used as the repository.url in @tqm-mfe/main metadata (git+https://github.tqm-mfe.io/platform/main.git). Scope-parameterized social-engineering artifact (github.<scope>.io); NOT confirmed functional infrastructure. | 1 | |
| sha256 ceff7c51d70832c3ec8dd2744b606a23b3c924ef664ae23439b9b742ea154108 | Decrypted Bun bootstrapper (_b blob), identical across all 20 LeoPlatform infected packages | 1 | |
| sha256 9f93d77d32833a515bc406c46da477142bb1ac2babeecb6aa42f98669a6db015 | Decrypted worm payload (_p blob), identical across all 20 LeoPlatform infected packages (781,580 bytes) | 1 | |
| sha1 24a0d9e496ec07ca978fab602d5f5e0b39fa03a0 | Infected tarball SHA1: leo-logger-1.0.8.tgz | 0 | |
| sha1 5e75c14b8acd5752819ab7a10874ddd6389f5238 | Infected tarball SHA1: serverless-convention-2.0.4.tgz | 0 | |
| sha1 e973173fb757d2dab9c6424b440dd9f7cbe4f14a | Infected tarball SHA1: leo-cache-1.0.2.tgz | 0 | |
| sha1 a8cb86b78ca56befe90dc466642cb04b98079909 | Infected tarball SHA1: rstreams-shard-util-1.0.1.tgz | 0 | |
| github_repo LeoPlatform/Nodejs | GitHub repo with orphan snapshot-f121a878 branch carrying worm payload and weaponized Dependabot workflow | 1 | |
| github_repo LeoPlatform/auth-sdk | GitHub repo with orphan snapshot-463d9ff7 branch carrying worm payload | 1 | |
| github_repo LeoPlatform/Leo | GitHub repo with orphan snapshot-afacc302 branch carrying worm payload | 1 | |
| email [email protected] | Compromised npm maintainer account (czirker / Clint Zirker), patient zero for the LeoPlatform wave. Single maintainer on all 20 infected packages. | 0 | |
| domain wshu.net | SUPPORTING signal, NOT a unique attacker indicator. wshu.net is a PUBLIC DISPOSABLE-EMAIL provider (verified on disposable-email blocklists: disposable-email-domains, fakefilter, MISP warninglists, authgear free-email list, and in unrelated apps' temp-mail signup logs), so the domain alone catches many unrelated throwaway accounts and is a noisy pivot. The campaign uses the per-scope burner pattern <scope>-<6rand>@wshu.net across all 12 scopes; treat that pattern as corroborating evidence only when combined with the durable code fingerprint (shared runPrepare/onInstall javascript-obfuscator wrapper + byte-identical/near-identical payload blobs + the 2026-06-04 publish burst), not as a standalone domain pivot. The earlier noon-contracts npm package (publisher [email protected], 2026-05-10) shares only this disposable-email provider, not payload or code. | 1 | |
| email [email protected] | npm publisher email for the @apexcraft scope (root @apexcraft/nano-key). | 1 | |
| email [email protected] | npm publisher email for the @bytemend scope (@bytemend/mfebus). | 1 | |
| email [email protected] | npm publisher email for the @chunklab scope (@chunklab/hexparse). | 1 | |
| email [email protected] | npm publisher email for the @zynkit scope (@zynkit/jwtbytes and the @zynkit/probe stub). | 1 | |
| email [email protected] | npm publisher email for the @petitcode scope (@petitcode/eb-retry). | 1 | |
| email [email protected] | npm publisher email for the @tinyfox scope (@tinyfox/shapecheck). | 1 | |
| email [email protected] | npm publisher email for the @glitchpad scope (@glitchpad/throttler). | 1 | |
| email [email protected] | npm publisher email for the @thymelab scope (@thymelab/logfx). | 1 | |
| sha256 618dfffb6829356c131fded9f4c6528b73b4f9d7ff1fc1d3b457599a12584e29 | Obfuscated payload blob dist/cjs/seed.cjs in @apexcraft/nano-key 1.3.7 (277264 bytes). | 1 | |
| sha256 a9a28f2e9f7e0348092682940b3bf63d47a63afc18eb8bfe628e5ddab0d73b47 | Obfuscated payload blob dist/bootstrap.js in @bytemend/mfebus 1.4.2 (277306 bytes). | 1 | |
| sha256 24c8f9b8ac17c2f88cc01d44543963206472112510962b68cf5f74d598b3b065 | Obfuscated payload blob script/prelude.cjs in @chunklab/hexparse 1.1.6 (277265 bytes). | 1 | |
| sha256 d06ee17d30ebb333ab2e5b6e8a1324fcf95edaaae17b6793ec0f3647338efda1 | Obfuscated payload blob dist/prelude.cjs in @zynkit/jwtbytes 0.5.3 (282050 bytes). | 1 | |
| sha256 32d02f806d58a6670f7cc9b93f1d85b22e0e0f535e1f90a62d86918033896f54 | Obfuscated payload blob lib/warmup.js in @petitcode/eb-retry 1.3.5 (282294 bytes). | 1 | |
| sha256 0d27ca72b6f02faf4db95effb18347a7e2fa2def2034707bf9e56fa217879a3b | Obfuscated payload blob dist/bootstrap.cjs in @tinyfox/shapecheck 0.8.7 (282051 bytes). | 1 | |
| sha256 68b4fe54a4c05cd0115535ebd4aa8d3cccb03ea5a685f440314814ba1b89e875 | Obfuscated payload blob (262934 bytes) shipped BYTE-IDENTICAL in TWO campaign packages: @glitchpad/throttler 2.2.3 (primer.cjs) and @lazyutil/dater 0.9.4 (dist/lib/tzinit.cjs). Confirmed via cmp/sha256 on extracted tarballs. Evidence that the actor reuses identical compiled blobs in at least one case rather than always re-seeding polymorphic per-string-RC4 builds. | 1 | |
| sha256 4e927f22ad04f4ac9b487ae11412fc2a55210188789ac29f3a47ad77931907a5 | Obfuscated payload blob dist/bootstrap.js in @thymelab/logfx 2.15.5 (282151 bytes). | 1 | |
| file_path require(_0x45af03['GyrZN']) | Dynamically-obscured require with an identical variable name (_0x45af03) and proxy key (GyrZN) across most campaign payload blobs. Resolves a Node built-in module name from a decrypted RC4 string at runtime to keep it out of the static module graph. Cross-package code fingerprint. | 1 | |
| email [email protected] | npm publisher email for the @briskforge scope (@briskforge/envcheck). | 1 | |
| email [email protected] | npm publisher email for the @lazyutil scope (@lazyutil/dater). | 1 | |
| email [email protected] | npm publisher email for the @frostnode scope (@frostnode/waitfor). | 1 | |
| email [email protected] | npm publisher email for the @nullzero scope (@nullzero/urlcat, flagged version unpublished before inspection). | 1 | |
| sha256 26ddfae644673e0ad65b63caaaf67c0f7dc6c2b2b4127bb5271f8d03fb62091a | Obfuscated payload blob lib/preflight.js in @briskforge/envcheck 0.5.4 (277356 bytes). | 1 | |
| sha256 2de602e6422a991346aaf0b74ed6bd525215f5177b9f7f267ccb4d82e919273d | Obfuscated payload blob dist/cjs/tickinit.cjs in @frostnode/waitfor 0.10.5 (259358 bytes). | 1 | |
| file_path require(_0x2cb1b0['UGeLH']) | Variant of the campaign's dynamically-obscured require fingerprint, found in @frostnode/waitfor dist/cjs/tickinit.cjs. Same technique as the canonical require(_0x45af03['GyrZN']) with a different variable name and proxy key — confirms shared obfuscation template across re-seeded builds. | 1 | |
| email [email protected] | npm publisher email for the @gleamkit scope (@gleamkit/probe scope-reservation stub). Same <scope>-<6char>@wshu.net burner pattern; wshu.net is a public disposable-email provider (supporting signal only). | 1 | |
| github_repo angelmaybeth21-oss/test | Second-stage delivery (Amazon Inspector / Operation Friday Harvest). The obfuscated first-stage downloader pulls a ~10.6MB Rust infostealer from this account's GitHub Releases. STRONGER pivot than the shared disposable wshu.net email. Account angelmaybeth21-oss created 2026-06-03; repo 'test' now removed but the account is still live. Dropper URL pattern: github.com/angelmaybeth21-oss/test/releases/download/v1.0.0/{linux,mac,win.js}. SafeDep independently verified the account exists via the GitHub API this session. | 1 | |
| github_repo smilingdusty233 | Secondary GitHub delivery/staging account associated with the campaign (Amazon Inspector). Created 2026-05-31. SafeDep independently verified the account exists via the GitHub API this session. | 1 | |
| url https://github.com/angelmaybeth21-oss/test/releases/download/v1.0.0/linux | GitHub Releases dropper URL for the Linux Rust infostealer ELF second stage (Amazon Inspector). Pattern: .../v1.0.0/{linux,mac,win.js}. | 1 | |
| url https://github.com/angelmaybeth21-oss/test/releases/download/v1.0.0/mac | GitHub Releases dropper URL for the macOS Rust infostealer Mach-O second stage (Amazon Inspector). | 1 | |
| url https://github.com/angelmaybeth21-oss/test/releases/download/v1.0.0/win.js | GitHub Releases dropper URL for the Windows Rust infostealer second stage (Amazon Inspector). The win.js name is a masquerade; the artifact is the Windows binary. | 1 | |
| domain api.telegram.org | Telegram Bot API used as exfil C2 by the Windows variant of the Rust infostealer second stage (Amazon Inspector). Resolves to 149.154.166.110. Linux/macOS variants exfil over HTTP multipart/form-data instead. | 1 | |
| ipv4 149.154.166.110 | Telegram infrastructure IP for api.telegram.org, the Windows-variant exfil C2 of the Rust infostealer second stage (Amazon Inspector). | 1 | |
| sha256 2457b2e775a5fe7a9e022ba77074a1b9aacb41b4fc0cc1d8a3dc66546599c5de | Second-stage Rust infostealer Linux ELF (~10.6MB) downloaded from github.com/angelmaybeth21-oss/test/releases/download/v1.0.0/linux. Attributed to Amazon Inspector dynamic analysis (VirusTotal/CAPE). | 1 | |
| sha256 b1c7b17f31a84e2596250121c3610ae5e0d592651940dd6c0dd74506f0f38313 | Second-stage Rust infostealer macOS Mach-O downloaded from github.com/angelmaybeth21-oss/test/releases/download/v1.0.0/mac. Attributed to Amazon Inspector dynamic analysis. | 1 | |
| sha256 11fe3a47333f63fd0e0a32ea16351eb302659aba983c07e4ea3dc9b09b618509 | Second-stage Rust infostealer Windows binary (win.js) downloaded from github.com/angelmaybeth21-oss/test/releases/download/v1.0.0/win.js. Windows variant exfils via Telegram Bot API and is NOT anti-VM gated. Attributed to Amazon Inspector dynamic analysis. | 1 | |
| file_path /tmp/_installer-0/ | Host staging directory created by the downloader/second stage (Amazon Inspector). | 1 | |
| file_path ~/.local/bin/<daemon> | Persistence binary path for the Rust infostealer, masquerading as a benign daemon (observed names: colord, haveged). Paired with the systemd user unit at ~/.config/systemd/user/<daemon>.service (Amazon Inspector). | 1 | |
| file_path ~/.config/systemd/user/<daemon>.service | systemd USER service unit installed for persistence, masquerading as a benign daemon (colord, haveged). Loads ~/.local/bin/<daemon> (Amazon Inspector). | 1 | |
| file_path ~/.local/state/<daemon>/{install.nonce,machine.id} | Host state artifacts (install nonce + machine id) written by the Rust infostealer second stage (Amazon Inspector). | 1 | |
| file_path __[0-9A-F]{10}_TAG | Re-entrancy guard variable-name pattern in the obfuscator.io first-stage blobs (e.g. __EE9863E13F_TAG). Together with the string-array function name it defines the 5 build clusters (A=__EE9863E13F_TAG, B=__7D0A53D40B_TAG, C=__38CC632841_TAG, D=__70FE9F7AB6_TAG, E=__4C6BA78C7C_TAG). Members in the same cluster share an obfuscator seed, explaining the byte-identical blob reuse (Amazon Inspector + SafeDep). Hunt as a code/regex fingerprint. | 1 | |
| ipv4 192.168.54.1 | C2 host for MYRA RAT. RFC 1918 private address, unusual for public npm malware. Port 4444 (C2), port 5555 (screen viewer). Suggests lab/testing environment or internal network targeting. | 0 | |
| email [email protected] | npm publisher email for account kimijohn01, used to publish all 6 versions of apintergrationpost. Throwaway Proton Mail account. | 0 | |
| sha256 6f4da8919cef1623f7a6a08cb66fc1b3d7f3e5d13f4f3b03c378c0f4a797f52f | apintergrationpost v4.0.1 tarball hash | 0 | |
| sha256 bff1cee1548dfc29da7618e11fcc2569ac849f9544056b89cbaa66d0874c1788 | apintergrationpost v4.0.2 tarball hash | 0 | |
| sha256 ba8e9452c53f5b66e47cc55e4e3531c1c59113950e49cf4eb5f14df1066f6390 | apintergrationpost v4.0.3 tarball hash | 0 | |
| sha256 cc1287f3eb21f176e6337db4739975c457578f4b3f54fd58c899b711f4cbc58f | apintergrationpost v4.0.4 tarball hash | 0 | |
| sha256 2253a51ce77c72ca1cad59fac8827a82d835bb64738cec42a2fa0d77bfac8b7e | apintergrationpost v4.0.5 tarball hash | 0 | |
| sha256 a6c687f276034f5bcf8070b750060c840a80a97e350592a015ed6e0974be87c4 | apintergrationpost v4.0.6 tarball hash | 0 | |
| file_path /usr/local/lib/.libcache.so | LD_PRELOAD rootkit shared object. Hooks readdir/stat to hide MYRA files and processes. Compiled from C source during npm postinstall. | 0 | |
| file_path /usr/local/lib/.cache-update.sh | MYRA RAT wrapper/launcher script. Invoked by cron (*/13 * * * *) and profile.d. Sets LD_PRELOAD and launches the Node.js RAT agent. | 0 | |
| file_path /etc/profile.d/.sh.local | Login persistence. Sourced on every shell login to relaunch MYRA RAT via .cache-update.sh. | 0 | |
| file_path /usr/lib/systemd/systemd-userdbd | Overwritten with Node.js binary. MYRA RAT masquerades as systemd-userdbd service for process blending. | 0 | |
| domain stitch-production.org | C2 domain for credential exfiltration. Registered via GoDaddy on 2026-06-19T11:07:09Z, 75 minutes before first package publish. Cloudflare-fronted. Backend nginx/1.18.0 (Ubuntu). Mimics stitch.withgoogle.com production API. | 0 | |
| ipv4 172.67.189.185 | Cloudflare IP for stitch-production.org C2 domain | 0 | |
| ipv4 104.21.65.94 | Cloudflare IP for stitch-production.org C2 domain | 0 | |
| url https://stitch-production.org/api/v1 | C2 endpoint. Credential exfiltration via GET query parameters: ?src=<source>&user=<email>. Fallback beacon: ?email-not-found=true | 0 | |
| email [email protected] | npm publisher email for @withgoogle/stitch-sdk. Throwaway account. | 0 | |
| sha256 ba5b2a9a7fe596734fb69bdf1a35071d1a2f435a36e8c870bd4390c562d9f614 | @withgoogle/stitch-sdk v0.1.1 tarball hash | 0 | |
| sha256 638b523ddd3382b622c412e37f274db1a9a6505893fa7236183f0b67a5355e94 | @withgoogle/stitch-sdk v0.1.2 tarball hash | 0 | |
| github_repo maximus-mcmillan/stitch-sdk | Fabricated repository URL in package.json. GitHub user and repo do not exist (404 / deleted). | 0 | |
| email [email protected] | Operator email on the compromised `ehindero` npm account at time of the malicious @mastra republish. | 1 | |
| email [email protected] | Original email on the `ehindero` npm account during its clean @mastra/core alpha publishes (2024-11 to 2025-02); same account, later changed to tutamail. Account-takeover indicator. | 1 | |
| email [email protected] | Email of the `sergey2016` npm account that published the easy-day-js dropper. Sibling <name>[email protected] pattern shared with the operator. | 1 | |
| ipv4 23.254.164.92 | Stage-2 download host (dropper). HTTPS GET to https://23.254.164.92:8000/update/49890878. Hostwinds, PTR hwsrv-1327786.hostwindsdns.com. User-Agent gated: serves payload only to Node default UA. | 1 | |
| ipv4 23.254.164.123 | RAT stage-2 C2 (still live at analysis time). HTTPS POST to https://23.254.164.123/49890878. Hostwinds, PTR hwsrv-1327785.hostwindsdns.com. Fronts an expired wolfSSL test cert CN=www.wolfssl.com. | 1 | |
| url https://23.254.164.92:8000/update/49890878 | Dropper stage-2 retrieval URL; returns the 12-byte-hex-named JS RAT loader only to Node default User-Agent. | 1 | |
| url https://23.254.164.123/49890878 | RAT stage-2 C2 endpoint; base64-encoded JSON beacon/command protocol (type:prepare/tpcsr/r0), default 10-minute cycle. Campaign path /49890878 shared with the dropper. | 1 | |
| sha256 221c45a790dec2a296af57969e1165a16f8f49733aeab64c0bbd768d9943badf | Stage-2 payload: 41 KB obfuscated multi-platform cryptocurrency-stealer RAT. | 1 | |
| sha256 4a8860240e4231c3a74c81949be655a28e096a7d72f38fbe84e5b37636b98417 | [email protected] npm tarball (clean precursor, no install hook). | 1 | |
| sha256 ae70dd4f6bc0d1c8c2848e4e6b51934626c4818dcb5af99d080ddbd7dc337185 | [email protected] npm tarball (armed: postinstall RAT dropper setup.cjs). | 1 | |
| sha256 2e2340f2ab71f321d3ef6fb9a7542fb9f30f3c65ba7ef924fcd8acc63829b5bf | @mastra/[email protected] npm tarball (republished by ehindero, dist.attestations=null, easy-day-js dependency injected). | 1 | |
| file_path setup.cjs | [email protected] postinstall dropper (obfuscator.io custom-base64 string-array). Sets NODE_TLS_REJECT_UNAUTHORIZED=0, fetches stage 2, spawns detached node child, then self-deletes (fs.rmSync(__filename)). | 1 | |
| file_path .pkg_history | Marker file written to os.tmpdir() by setup.cjs (contains __dirname). | 1 | |
| file_path .pkg_logs | Marker file written to os.tmpdir() by setup.cjs (bytes of "easy-day-js" XOR 0x80). | 1 | |
| file_path ~/Library/LaunchAgents/com.nvm.protocal.plist | macOS RAT persistence LaunchAgent (typosquats nvm tooling). | 1 | |
| file_path ~/Library/NodePackages/protocal.cjs | macOS RAT payload body disguised as Node tooling. | 1 | |
| file_path ~/.config/systemd/user/nvmconf.service | Linux RAT persistence systemd user unit (typosquats nvm tooling). | 1 | |
| file_path ~/.config/NodePackages/config.json | Linux RAT config persistence (UID/PrimaryUrl/Cycle). | 1 | |
| file_path C:\ProgramData\NodePackages | Windows RAT persistence/config directory. | 1 | |
| url https://files.catbox.moe/j4loim.chk | Decoded C2 / payload URL, reconstructed from endpointmap's _ep+_p byte arrays XOR-decoded with the name-derived key 'endpoint'. catbox.moe is a public anonymous file host abused for inbound payload staging. | 1 | |
| domain files.catbox.moe | Payload staging host. catbox.moe flagged by 6/92 VirusTotal vendors at analysis time. Shared atom with LofyGang (lofygang-undicy-http) but used here for INBOUND payload staging vs LofyGang's OUTBOUND exfil — coincidental shared infra, NOT attribution. | 1 | |
| domain deltajohnsons.com | Custom throwaway email domain shared across all five npm maintainer accounts (one unique random local-part per package). Strongest cluster fingerprint for this operator. | 1 | |
| email [email protected] | procwire maintainer email. | 1 | |
| email [email protected] | routecraft maintainer email. | 1 | |
| email [email protected] | endpointmap maintainer email. | 1 | |
| email [email protected] | bytecraft maintainer email. | 1 | |
| email [email protected] | staticlayer maintainer email. | 1 | |
| email [email protected] | Invented author persona 'Anton Kuznetsov' (akuznetsov-oss org packages: procwire, routecraft). | 1 | |
| email [email protected] | Invented author persona 'Viktor Petrov' (vpetrov-oss org packages: bytecraft, endpointmap, staticlayer). | 1 | |
| github_repo akuznetsov-oss | Fabricated GitHub organization (now 404) for procwire and routecraft. | 1 | |
| github_repo vpetrov-oss | Fabricated GitHub organization (now 404) for bytecraft, endpointmap, staticlayer. | 1 | |
| file_path lib/setup.js | procwire preinstall entrypoint: win32 guard, name-derived XOR key, C2 decode, worker.init(). | 1 | |
| file_path lib/registry.js | endpointmap metadata-only C2 store: XOR-encoded _ep and _p byte arrays disguised as endpoint constants. | 1 | |
| domain olrh4mibs62l6kkuvvjyc5lrercqg5tz543r4lsw3o6mh5qb7g7sneid.onion | Tor hidden-service C2 for the Atomic Arch implant. Beacon POST /api/agent HTTP/1.0; secondary-payload staging at /bin/linux with hash verification at /bin/sha256/linux. Onion host is XOR-obfuscated in the binary (32-byte repeating key at offset 0x1AA60, 62-byte ciphertext at 0x2DA96). Same /api/agent beacon path as IronWorm. | 1 | |
| sha256 6144d433f8a0316869877b5f834c801251bbb936e5f1577c5680878c7443c98b | Dropper ELF inside [email protected] (./src/hooks/deps). Stripped Rust-async Linux ELF64 PIE, entry 0xeae00, 3,040,376 bytes. MD5 42b59fdbe1b72895b2951412222ebf40. | 1 | |
| md5 42b59fdbe1b72895b2951412222ebf40 | MD5 of the atomic-lockfile dropper ELF (./src/hooks/deps). | 1 | |
| sha256 7883bda1ff15425f2dbe622c45a3ae105ddfa6175009bbf0b0cad9bf5c79b316 | Linux ELF payload embedded in the js-digest npm package (Atomic Arch wave-2 / bun-delivered variant). | 1 | |
| sha256 47893d9badc38c54b71321263ce8178c1abb10396e0aadf9793e61ec8829e204 | Secondary payload fetched from the Tor C2 at /bin/linux (verified against /bin/sha256/linux). Suspected cryptominer; detection hint is modification of /usr/bin/monero-wallet-gui. | 1 | |
| file_path src/hooks/deps | Path of the Rust-async ELF infostealer dropper inside the atomic-lockfile npm tarball; invoked by the package.json preinstall hook (preinstall: ./src/hooks/deps). | 1 | |
| file_path scales.bpf.c | eBPF rootkit component source filename. Hooks getdents64() to hide PIDs from /proc, filenames from directory listings, and socket inodes from /proc/net/tcp + netlink (NETLINK_SOCK_DIAG). Pinned BPF maps /sys/fs/bpf/hidden_pids, /sys/fs/bpf/hidden_names, /sys/fs/bpf/hidden_inodes. Kills ptrace (PTRACE_ATTACH/PTRACE_SEIZE). IronWorm equivalent was q2.bpf.c. | 1 | |
| github_repo fardewoak/nodejs-argo | GitHub repo hosting a container image (ghcr.io herbsobering430) tied to the npm publisher herbsobering; appears to be reverse-shell / proxy tooling associated with the Atomic Arch operator. | 1 | |
| url https://o4511539639222272.ingest.de.sentry.io/api/4511539669368912/envelope/ | Sentry ingest (envelope) endpoint abused as the C2/exfiltration drop. build.rs POSTs stolen git metadata and source diffs here via curl. Sentry org ID o4511539639222272, project ID 4511539669368912, region host ingest.de.sentry.io. | 0 | |
| domain o4511539639222272.ingest.de.sentry.io | Region-pinned Sentry ingest host (org subdomain o4511539639222272, EU/de region) used for exfiltration. | 0 | |
| github_repo cenotelie/onering | Source repository of the onering crate; malicious build.rs introduced in commit 45e552f541dd96c2ac224d1b97cb7cda1c1d63e9. | 0 | |
| file_path build.rs | Cargo build script added to the crate; executes at compile time on the consumer machine and performs the data collection and exfiltration. | 0 | |
| url https://8197ee42c4f59c83f4cc6d48f5bae821@o4511539639222272.ingest.de.sentry.io/4511539669368912 | Full Sentry DSN embedded in the envelope 'dsn' field. The public key 8197ee42c4f59c83f4cc6d48f5bae821 is the most specific attributable indicator in the payload (distinct from the bare ingest URL). DSN form: https://<public_key>@o<org>.ingest.<region>.sentry.io/<project_id>. Hunt for the literal key 8197ee42c4f59c83f4cc6d48f5bae821 in package sources and outbound traffic. | 0 | |
| file_path Cargo.toml | Dependency-level indicator: the malicious commit adds a build-dependency 'uuid = { version = "1.23", default-features = false, features = ["v4"] }' to Cargo.toml, used for Uuid::new_v4().as_simple() to generate the Sentry event_id. An otherwise-unexpected 'uuid' build-dep appearing alongside a new build.rs is a strong combined signal. | 0 | |
| sha256 51b4dd39a15af1e28e97adc375849d688423ec3d88e8010644395fcdea52a3cc | core/telemetry/_hooks.py — Python stager injected into gpt-pilot; derived from edxeth/Shai-Hulud-Open-Source PYTHON_LOADER.py | 1 | |
| sha256 c96f37e1b9cdc9683a300909492ed9f770b620d0037e5b80e23753cba7ca4077 | core/telemetry/_runtime.bin — 758 KB Bun JS payload with // @bun @bun-cjs header, MxGPr9 string-array rotation obfuscation, fromCodePoint decoder | 1 | |
| file_path core/telemetry/_hooks.py | Python stager file path in compromised gpt-pilot repository | 0 | |
| file_path core/telemetry/_runtime.bin | Bun JS payload file path; .bin extension used to blend with compiled asset naming conventions | 0 | |
| file_path core/telemetry/.loader.lock | Run-once lock file; presence indicates prior stager execution on the host | 1 | |
| github_repo Pythagora-io/gpt-pilot | Compromised Python AI coding assistant repository; injected via direct PAT push | 1 | |
| github_repo edxeth/Shai-Hulud-Open-Source | Attacker toolkit repository (created 2026-05-13); contains src/assets/PYTHON_LOADER.py — the template for the gpt-pilot stager | 1 | |
| github_repo deadbeef3137/Shai-Hulud-Open-Source | Fork of attacker toolkit edxeth/Shai-Hulud-Open-Source | 0 | |
| file_path tools/setup | ~976 KB UPX-packed Rust ELF infostealer binary dropped inside the malicious npm tarball; invoked by the package.json preinstall hook (preinstall: ./tools/setup). | 1 | |
| file_path .github/scripts/precheck | Alternate in-repo path for the IronWorm Rust binary dropper, committed under the spoofed claude author identity. | 1 | |
| file_path q2.bpf.c | eBPF rootkit component source filename recovered from .BTF.ext debug metadata left in the embedded ELF object (214 verbatim source lines). Provides process hiding (/proc rewriting), TCP socket hiding (netlink filtering), and anti-debugging (ptrace interception, SIGKILL). | 1 | |
| url http://127.0.0.1:8738 | Local loopback HTTP listener used to capture wallet credential POSTs (Exodus desktop wallet password + BIP-39 seed mnemonic injected from the browser/app). | 1 | |
| url https://temp.sh | Fallback exfiltration host (public file-sharing service), reached over Tor via POST /upload when the primary Tor hidden-service C2 is unavailable. Same fallback as IronWorm. | 2 | |
| url tor://api/agent | Primary C2 beacon path /api/agent served over a Tor hidden service (.onion address not published by the researcher). Provides remote shell plus file download/execute. Tor reached via custom torrc + downloaded Tor expert bundle. | 1 | |
| url https://registry.npmjs.org/-/npm/v1/oidc/token/exchange/package | npm OIDC Trusted Publishing token-exchange endpoint abused for self-replication: mints a package-scoped automation token without stored credentials, then republishes trojanized versions. | 1 | |
| wallet 0x7e28D9889f414B06c19a22A9Bd316f0AC279a4d6 | Operator's own Ethereum wallet, derived from a hardcoded BIP-39 recovery phrase ('bench crane defense corn wheel trial news abuse finish better paddle slush') left inside the binary and present in the malware's wallet skip-list. Near-empty test wallet; an OPSEC failure that aids attribution. | 1 | |
| github_repo asteroid-dao/eternal-storage | Victim GitHub repo poisoned by IronWorm. Malicious commit SHA a8f0c75a77698759413dbadcb99b62709816ed42 (backdated, spoofed claude author). | 1 | |
| github_repo asteroid-dao/asteroid-protocol | Victim GitHub repo poisoned by IronWorm. Malicious commit SHA 5d7c93caf50a447a8d48cafe2e5cff6b47618b13. | 1 | |
| github_repo alisista/aht-testnet | Victim GitHub repo poisoned by IronWorm. Malicious commit SHA 10c619e75181d07ddcccb5c1f62766c85fef08df. | 1 | |
| github_repo ocrybit/mweb3waves | Victim GitHub repo (compromised account ocrybit) poisoned by IronWorm. Malicious commit SHA 0fe6a098fe698e586188e0f2e851ef43f1a35958. | 1 | |
| github_repo ocrybit/by-coffeescript | Victim GitHub repo (compromised account ocrybit) poisoned by IronWorm. Malicious commit SHA fd64413119575fa119eaa9f94d32208c7d916796. | 1 | |
| email [email protected] | npm maintainer email for account speedsteraxios (faster-axios publisher). Offensive/racist throwaway. Weak actor selector. | 1 | |
| sha256 f89694ba247a7a67e582572094c9f19d2e09882eff8917f78125d54b733bd24e | [email protected] npm tarball | 1 | |
| sha256 80c18e0d71a31a2e66d8796c6d7081fa3414c1801057131f1cd851c87c1a029e | [email protected] npm tarball | 1 | |
| sha256 bc46e88b1fdf8c27e3404146306b4651f69728f7d8d939a219dfbcb5a23ef69a | Stage 4 hello.exe. PE32 NSIS self-extracting installer, 86,235,515 bytes (~86MB). Contains electron-builder Electron app with Epsilon Stealer in resources/app.asar -> src/index.js (3,360 lines). NSIS header references www.inkscape.org (decoy). | 1 | |
| url https://cold5.gofile.io/download/web/c5d2304a-2ede-4fd8-904b-9a6cdd3f8a6c/analyst.js | faster-axios v1.17.3 stage-2 delivery URL (gofile.io file hosting). Now returns landing page; likely token-gated or removed. | 1 | |
| url https://apparently-movers-mysql-heights.trycloudflare.com/download/datab1 | faster-axios v1.17.4 stage-2 delivery URL (Cloudflare quick-tunnel C2). LIVE, returned HTTP 200. Stage 3 = Windows-only dropper. | 1 | |
| url https://apparently-movers-mysql-heights.trycloudflare.com/download/epsilon | Stage 4 download URL. Dropper fetches hello.exe to %TEMP% and runs via child_process.execFile. | 1 | |
| url https://apparently-movers-mysql-heights.trycloudflare.com/download/browser | Shellcode download URL. Epsilon Stealer fetches XOR-encoded (key 0xAA) shellcode for process injection into dllhost.exe. | 1 | |
| domain apparently-movers-mysql-heights.trycloudflare.com | Cloudflare quick-tunnel C2 host for faster-axios. Serves: stage-2 delivery (/download/datab1), stage-4 PE (/download/epsilon), and shellcode (/download/browser). | 1 | |
| domain recorded-distinct-face-girlfriend.trycloudflare.com | Epsilon Stealer exfil API tunnel. Endpoints: /customer (registration), /upload (file exfil), /discord-token (Discord token exfil), /clip (clipboard data). | 1 | |
| url https://recorded-distinct-face-girlfriend.trycloudflare.com/customer | Epsilon Stealer exfil API base. Sub-endpoints: /upload, /discord-token, /clip. | 1 | |
| domain consequences-faces-weblogs-clinical.trycloudflare.com | SHARED INFRASTRUCTURE linking turbo-axios and faster-axios (high confidence same operator). turbo-axios v1.17.2 used this tunnel as stage-2 C2 at /download/datab1. faster-axios Epsilon Stealer source references this tunnel as DOWNLOAD_URL constant (line 99) at /download/load. Campaign-level pivot indicator. | 1 | |
| url https://consequences-faces-weblogs-clinical.trycloudflare.com/download/load | Secondary download URL used by Epsilon Stealer (faster-axios) for additional payload retrieval. | 1 | |
| url https://consequences-faces-weblogs-clinical.trycloudflare.com/download/datab1 | turbo-axios v1.17.2 stage-2 C2 endpoint. Same tunnel reused in faster-axios Epsilon Stealer source. Key infrastructure pivot linking both packages to one operator. | 1 | |
| domain philosophy-moms-incoming-milton.trycloudflare.com | Cloudflare quick-tunnel C2 for turbo-axios v1.17.3 stage-2 delivery. Endpoint: /download/datab1. Rotated tunnel after consequences-faces-weblogs-clinical was used for v1.17.2. | 1 | |
| url https://philosophy-moms-incoming-milton.trycloudflare.com/download/datab1 | turbo-axios v1.17.3 stage-2 delivery URL. Rotated Cloudflare quick-tunnel with same /download/datab1 path pattern as all other campaign tunnels. | 1 | |
| domain prep-integer-lit-preferences.trycloudflare.com | WebSocket RAT gateway for Epsilon Stealer. Persistent WSS connection with auto-reconnect. Supports arbitrary cmd.exe/powershell execution with real-time stdout streaming. | 1 | |
| file_path %TEMP%\hello.exe | Windows drop path for stage-4 NSIS PE, executed via child_process.execFile. | 1 | |
| file_path %LOCALAPPDATA%\Microsoft\Windows\0\svchost.exe | Epsilon Stealer persistence copy. Binary copied here and launched via HKCU Run key on reboot. | 0 | |
| file_path HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost | Registry Run key set by Epsilon Stealer for boot persistence. Points to %LOCALAPPDATA%\Microsoft\Windows\0\svchost.exe. | 0 | |
| file_path %TEMP%\browser-extraction-<username> | Staging directory for injected browser credential data. <username> replaced with victim's Windows username. | 0 | |
| file_path %TEMP%\epsilon-<username> | Main staging directory for all Epsilon Stealer exfil data. <username> replaced with victim's Windows username. | 0 | |
| github_repo speedsteraxios | npm publisher account handle for faster-axios (used as weak actor selector; not a confirmed GitHub repo). | 1 | |
| email [email protected] | npm maintainer email for the emcd-vue account that published the Wave 3 packages. Anonymous Proton Mail address. Fourth email identity tied to the oob-moika-tech campaign. | 1 | |
| domain emcd-vue.io | Fake domain used in Wave 3 package README and metadata to impersonate the EMCD organization. Not related to real emcd.io. Social engineering artifact. | 1 | |
| domain github.emcd-vue.io | Fake GitHub subdomain used as the repository URL in @emcd-vue package metadata (git+https://github.emcd-vue.io/platform/auth.git). Social engineering artifact designed to mimic a private GitHub Enterprise instance. | 0 | |
| file_path ~/.emcd-vue_init.js | Second-stage dropper written to the user home directory (not OS temp dir) by the Wave 3 postinstall hook, then spawned detached. Dot-hidden file. Persistence upgrade over Waves 1+2 which used os.tmpdir(). | 1 | |
| file_path ~/.emcd-vue_init/ | Home-directory cache directory used for run-once deduplication. Contains JSON files keyed by hash(package_name + hostname + project_root). Wave 3 replacement for Wave 2's ~/.cache/._t-in-one_init/. | 0 | |
| file_path EMCD_VUE_NO_TELEMETRY | Functional kill switch environment variable checked by the Wave 3 postinstall code. Setting this variable causes the payload to exit early without beaconing. NOT the variable advertised in the README (which is EMCD_VUE_8D440FE1_NO_TEL — non-functional by design). | 0 | |
| file_path EMCD_VUE_8D440FE1_NO_TEL | README-advertised kill switch env var — deliberately mismatched from the functional code kill switch (EMCD_VUE_NO_TELEMETRY). Setting this variable does NOT prevent payload execution. Social engineering artifact: the 8D440FE1 hex fragment in the name indicates deliberate construction, not a typo. | 0 | |
| sha256 031ba872d5a84bfb18115f432811e4b45180346a1bae653f7fd85f918e7bb3a3 | [email protected] malicious tarball SHA256 | 1 | |
| sha256 df1732f5bfec12e066be44dee02ec8a243e4868d38672c1b1d065359dd735a14 | index.js dropper SHA256 (ROT-9 + AES-128-GCM loader) | 1 | |
| sha256 0dc06ecdaa63fe24859cfd955053c23245c536e4733480239d14bebf12688e35 | decrypted Bun worm payload SHA256 | 1 | |
| url https://registry.npmjs.org/-/npm/v1/oidc/token/exchange/package/ | npm OIDC-to-publish-token exchange endpoint abused for self-propagation | 1 | |
| url https://github.com/oven-sh/bun/releases/download/bun-v1.3.13/ | Bun runtime download URL used by the Miasma worm bootstrapper across all waves (inferred for Wave 5; unconfirmed until payload is reversed) | 1 | |
| file_path /var/run/secrets/kubernetes.io/serviceaccount/token | Kubernetes service account token harvested | 1 | |
| file_path /var/run/docker.sock | Docker socket abused for container escape | 1 | |
| file_path /tmp/p<random>.js | Temp file pattern for decoded worm payload before Bun execution (inherited from prior Miasma waves; unconfirmed for Wave 5 until payload is reversed) | 1 | |
| file_path /tmp/b-<random>/bun | runtime artifact (downloaded Bun runtime) | 1 | |
| file_path /tmp/kitty-<random> | runtime worm artifact | 1 | |
| domain login.microsoftonline.com | Azure managed identity / token endpoint queried | 1 | |
| domain graph.microsoft.com | Azure Graph API queried for identity data | 1 | |
| email [email protected] | spoofed/unconfirmed git author on malicious commits (Justin Orringer) | 1 | |
| github_repo RedHatInsights/javascript-clients | compromised repo; workflow ci.yml; branches oidc-4d5900f3, oidc-6523a11b; 15 packages | 1 | |
| github_repo RedHatInsights/frontend-components | compromised repo; workflow ci.yaml; branches oidc-61fff775, oidc-af10000d; 14 packages | 1 | |
| github_repo RedHatInsights/platform-frontend-ai-toolkit | compromised repo; workflow release.yml; branches oidc-2530ec68, oidc-93b9a955; 3 packages | 1 | |
| email [email protected] | npm maintainer email for the t-in-one account that published the 12 Wave 2 packages. First email identity tied to the oob-moika-tech campaign (Wave 1 accounts mr.4nd3r50n and pik-libs had no public email). | 1 | |
| file_path ._t-in-one_init.js | Second-stage dropper written to the OS temp directory (os.tmpdir()) by the Wave 2 postinstall hook, then spawned detached. Follows the same ._<scope>_init.js naming pattern as Wave 1's ._cloudplatform-single-spa_init.js. | 1 | |
| file_path ~/.cache/._t-in-one_init/ | Run-once de-duplication marker directory created by the Wave 2 payload so a host is beaconed only once. New in Wave 2. | 0 | |
| domain npm.t-in-one.io | Fabricated internal npm registry domain in the @t-in-one README and .npmrc lure (registry=https://npm.t-in-one.io). Social engineering artifact; not confirmed functional infrastructure. | 1 | |
| domain docs.t-in-one.io | Fabricated docs domain in @t-in-one README. Social engineering artifact; not confirmed functional. | 0 | |
| domain jira.t-in-one.io | Fabricated Jira domain in @t-in-one README. Social engineering artifact; not confirmed functional. | 0 | |
| sha256 23ccdefb9b917373a4b723d8d482eb6b8880e7e45b0d21cfa5d21d5c27da4918 | SHA256 of the @t-in-one/[email protected] npm tarball (registry.npmjs.org). Sample Wave 2 artifact. | 0 | |
| domain copilot-ai.whisdev.org | Secondary hostname on C2 IP 195.201.194.107. Linked to bink/ptc-bink/whisdev persona cluster (JFrog attribution). | 1 | |
| domain sha256-validate-rpc.vercel.app | Contagious Trader exfil endpoint used by polymarket-validator (toskypi, Feb 2026) | 1 | |
| domain changelog.rest | Contagious Trader exfil endpoint used by changelog-logger-utilities (toskypi, Mar 2026) | 1 | |
| domain polblxpnl.space | Contagious Trader C2 domain | 0 | |
| sha256 b2954c945b51dbd6fa88ac72338b7fbf76dec7d9909ceada9d36b21330842c97 | MicrosoftSystem64 Linux ELF binary (81 MB Node.js SEA, v1.0.8) | 1 | |
| email [email protected] | npm account toskypi, linked to ~20 DPRK npm accounts per kmsec.uk. Published polymarket-validator, changelog-logger-utilities. Famous Chollima. | 1 | |
| url https://huggingface.co/jpeek998/system-releases/resolve/main | Binary update URL for MicrosoftSystem64 self-update (24h interval) | 1 | |
| url https://huggingface.co/Lordplay/system-releases | Original binary hosting repo on HuggingFace (disabled by HF, account Lordplay created 2025-11-24). Shared by jpeek868/886/895 cluster. | 1 | |
| url https://huggingface.co/jpeek998/linux_doc_75a5ffec36ca | Third victim dataset: 48 screenshot files, started 2026-05-28T06:10:24Z. Active compromise evidence. | 1 | |
| file_path ~/.local/share/MicrosoftSystem64 | Linux install directory for MicrosoftSystem64 binary and state files | 1 | |
| file_path ~/.pcl-state/uploads.json | Screenshot upload state tracker for HuggingFace exfiltration | 1 | |
| domain oob.moika.tech | Shared C2 host across all three waves. Hosts /report exfiltration endpoint and /payload/{platform} second-stage scripts. Wave 3 platform strings: linux-x64, darwin-arm64, win. | 1 | |
| url https://oob.moika.tech/report | Exfiltration endpoint. Receives HTTP POST with process.env, hostname, username, platform, arch, cwd, Node.js version, and X-Secret authentication header. | 1 | |
| url https://oob.moika.tech/payload/mac.js | Second-stage payload for macOS, fetched by postinstall hook on darwin systems. | 1 | |
| url https://oob.moika.tech/payload/win.js | Second-stage payload for Windows, fetched by postinstall hook on win32 systems. | 1 | |
| url https://oob.moika.tech/payload/linux.js | Second-stage payload for Linux, fetched by postinstall hook on linux systems. | 1 | |
| file_path ._cloudplatform-single-spa_init.js | Temp file written by the postinstall hook when downloading the second-stage payload. Written to the OS temp directory (os.tmpdir()). Name is consistent across all packages regardless of scope. | 1 | |
| domain telemetry.car-loans.io | Fabricated telemetry domain appearing only in @car-loans scope README text. Social engineering artifact — not confirmed functional C2. Declared opt-out: CAR_LOANS_NO_TELEMETRY=1. Actual exfiltration target is oob.moika.tech. | 1 | |
| domain telemetry.cloudplatform-single-spa.io | Fabricated telemetry domain appearing only in @cloudplatform-single-spa scope README text. Social engineering artifact — not confirmed functional C2. Declared opt-out: CLOUDPLATFORM_SINGLE_SPA_NO_TELEMETRY=1. Actual exfiltration target is oob.moika.tech. | 1 | |
| domain npm.car-loans.io | Fabricated private npm registry domain in @car-loans README and .npmrc comment (registry=https://npm.car-loans.io). Social engineering artifact confirming target org uses a private npm registry — the precondition for dependency confusion. Not confirmed functional infrastructure. | 1 | |
| domain npm.cloudplatform-single-spa.io | Fabricated private npm registry domain in @cloudplatform-single-spa README. Social engineering artifact confirming target org uses a private npm registry. Not confirmed functional infrastructure. | 1 | |
| domain 21baseballacademy.com | Ad script delivery domain used by terminal3airport packages. Hosts external JS payload at cdn.21baseballacademy.com. | 0 | |
| domain abdct.com | Popunder redirect destination triggered by adware in terminal3airport packages. | 0 | |
| domain woofbeginner.com | Additional ad/monetization script host used by terminal3airport packages. | 0 | |
| url https://cdn.21baseballacademy.com/script/jrqK2HPsliMjRW5Q.js | External ad script injected into proxy pages by terminal3airport packages. | 0 | |
| url https://woofbeginner.com/0a/91/35/0a913561831bdf2c26dcf18b852b5cc1.js | Additional monetization script loaded by terminal3airport adware. | 0 | |
| email [email protected] | npm maintainer email for terminal3airport account. Published all 141 malicious packages. | 0 | |
| github_repo lucideproxy/svg | GitHub repository referenced in package source code. Associated with Lucide Proxy project. | 0 | |
| sha256 0d27f455ae056aa908c276d9b17a73d469227257838ec9bcbcb3f1c66169b5a4 | SHA-256 of obfuscated JS file a3g0q43tbe.js found in wave 2-3 packages. | 0 | |
| url ws://204.10.194.247:9877 | WebSocket C2 relay endpoint for forge-jsx RAT campaign | 1 | |
| url http://204.10.194.247:8765 | HTTP API endpoint for forge-jsx RAT campaign | 1 | |
| email [email protected] | npm account email for jacksonkaandorp2, publisher of forge-jsxy (Wave 2) | 1 | |
| email [email protected] | npm account email for rafael_silva, publisher of forge-jsx4 (Wave 3) | 1 | |
| domain taohunter.ai | Domain associated with johntaohunter npm account (Wave 1) | 1 | |
| sha256 4938d47fe6216f8f9fee0527bf5112c04c15a9ea62f87869677619aa5400f09f | SHA-256 of forge-jsxy v1.0.91 (latest Wave 2 version) | 1 | |
| sha256 8070daba5d6ca61c357574526d1e0f468ae575a4edf74cc90a8d8b8c78e3aeef | SHA-256 of forge-jsxy v1.0.66 (first Wave 2 version) | 1 | |
| sha256 6321dacc21675f81c4cee7db8434ca4cf0e228d3b592bde26a0a40f223dbb00e | SHA-256 of forge-jsx4 v1.0.123 tarball (Wave 3) | 1 | |
| file_path ~/.config/systemd/user/forge-js-worker.service | Linux systemd persistence for forge-jsx RAT | 1 | |
| file_path ~/.config/autostart/forge-js-worker.desktop | Linux XDG autostart persistence for forge-jsx RAT | 1 | |
| file_path ~/Library/LaunchAgents/com.forgejs.worker.plist | macOS LaunchAgent persistence for forge-jsx RAT | 1 | |
| ipv4 212.193.3.61 | New C2 IP introduced in Wave 3 parallel packages (pino-zod, zod-pino). AS unknown. WebSocket relay port 9877, HTTP API port 8765. Rotated from 204.10.194.247. | 1 | |
| url ws://212.193.3.61:9877 | WebSocket C2 relay endpoint for forge-jsx RAT Wave 3 parallel packages (pino-zod, zod-pino) | 1 | |
| url http://212.193.3.61:8765 | HTTP API endpoint for forge-jsx RAT Wave 3 parallel packages (pino-zod, zod-pino) | 1 | |
| sha256 0eb72e0794c7e51ca1d790c443b5f573e1288bad6e6c56d1bd9c4b69a71d65d0 | SHA-256 of pino-zod v1.0.122 tarball (Wave 3 parallel) | 1 | |
| sha256 1f7616b3c38f85860abd9ae989d72915e9c13f0d106804471a811a38d63e5293 | SHA-256 of zod-pino v1.0.125 tarball (Wave 3 parallel, latest known version) | 1 | |
| domain polymarketbot.polymarketdev.workers.dev | Network indicator from blog post | 1 | |
| sha256 e01b85c1437085a519217338fe4ee5ed7858c28a10f8c1477b2f1857c3386edb | SHA-256 hash from blog post | 1 | |
| email [email protected] | Email indicator from blog post | 1 | |
| domain utaq.cfww.shop | Former Coruna exploit kit host (Phase 2). 180.178.50.158 AS45753 Netsec Limited HK. Hosted 14 exploit modules (606KB) at /gooll/. DEAD as of 2026-07-03. | 1 | |
| domain git.youzzjizz.com | Former payload host (Phase 1, version 4.13.3). String.fromCharCode decoded URL. DEAD as of 2026-07-03. | 1 | |
| ipv4 180.178.50.158 | IP for utaq.cfww.shop (former Coruna exploit kit host, Phase 2). AS45753 Netsec Limited, Hong Kong. DEAD. | 1 | |
| ipv4 172.67.141.14 | Cloudflare IP for l1ewsu3yjkqeroy.xyz (former C2 sync, Phase 2). DEAD. | 1 | |
| ipv4 104.21.40.254 | Cloudflare IP for l1ewsu3yjkqeroy.xyz (former C2 sync, Phase 2). DEAD. | 1 | |
| sha256 273206e2973df6ba7474aa66693797c98dcf26b794da4c3e863ab8d8c694868d | [email protected] npm tarball (Phase 1) | 1 | |
| sha256 5b5fe5d92808a732d0d44246cd706295cc739ed7f4dcae19112df666bc5d4f7d | [email protected] npm tarball (Phase 2, unpublished from npm) | 1 | |
| sha256 101afde88ff8b5c02fd341eda55022a39203088c2ff11dcb73214911cf5afb77 | [email protected] npm tarball (Phase 2, unpublished from npm) | 1 | |
| sha256 d8e3973a0b3c5359d1f53a22491b56bdd31dee13a51c01c7126bc6694584512f | Original Coruna exploit kit payload served from v3.jiathis.com/code/jia.js (Phase 2, no longer served) | 1 | |
| sha256 f31bdd069fe7966ae11be1f78ee5dd44445938856dd1df12379e0e84a6851f5c | 49554fde7424c31c.js stage-4 Coruna malware loader (50KB, Phase 2) | 1 | |
| sha1 57620206d62079baad0e57e6d9ec93120c0f5247 | SHA-1/commit-like hash from blog post | 1 | |
| sha1 14669ca3b1519ba2a8f40be287f646d4d7593eb0 | SHA-1/commit-like hash from blog post | 1 | |
| md5 7d86eb847ecfd3c972fa457a6abaa0da | MD5 hash from blog post | 0 | |
| email [email protected] | Persistent maintainer account (daughtrymom). Controls art-template, express-art-template, art-template-loader, koa-art-template across all phases. | 1 | |
| email [email protected] | Phase 2 publisher account (npmpacketmaintainmember7). Published 4.13.5 and 4.13.6. Removed from maintainers after Phase 3. | 1 | |
| email [email protected] | Original legitimate author (aui/tangbin). No longer a maintainer. Transferred ownership after acquisition fraud by KILLER WHAL AI SDN BHD. | 1 | |
| email [email protected] | Phase 1 publisher account (v4v5qc). Published 4.13.3 and 4.13.4. No longer a maintainer. | 1 | |
| domain check.git-service.com | Network indicator from blog post | 1 | |
| domain www.youtube.com | Network indicator from blog post | 1 | |
| ipv4 160.119.64.3 | IP address indicator from blog post | 1 | |
| ipv4 185.95.159.32 | IP address indicator from blog post | 1 | |
| sha256 3de04fe2a76262743ed089efa7115f4508619838e77d60b9a1aab8b20d2cc8bf | SHA-256 hash from blog post | 1 | |
| sha256 85f54c089d78ebfb101454ec934c767065a342a43c9ee1beac8430cdd3b2086f | SHA-256 hash from blog post | 1 | |
| sha256 c0b094e46842260936d4b97ce63e4539b99a3eae48b736798c700217c52569dc | SHA-256 hash from blog post | 1 | |
| sha256 069ac1dc7f7649b76bc72a11ac700f373804bfd81dab7e561157b703999f44ce | SHA-256 hash from blog post | 1 | |
| domain t.m-kosche.com | Network indicator from blog post | 1 | |
| ipv4 169.254.170.2 | AWS ECS task metadata endpoint queried for credentials | 2 | |
| sha256 a68dd1e6a6e35ec3771e1f94fe796f55dfe65a2b94560516ff4ac189390dfa1c | SHA-256 hash from blog post | 1 | |
| sha1 1916faa365f2788b6e193514872d51a242876569 | SHA-1/commit-like hash from blog post | 1 | |
| sha1 7cb42f57561c321ecb09b4552802ae0ac55b3a7a | SHA-1/commit-like hash from blog post | 1 | |
| sha1 dc3d62a2181beb9f326952a2d212900c94f2e13d | SHA-1/commit-like hash from blog post | 1 | |
| email [email protected] | Email indicator from blog post | 1 | |
| email [email protected] | Email indicator from blog post | 1 | |
| ipv4 1.1.1.1 | IP address indicator from blog post | 1 | |
| ipv4 8.8.8.8 | IP address indicator from blog post | 1 | |
| sha256 449e4265979b5fdb2d3446c021af437e815debd66de7da2fe54f1ad93cbcc75e | SHA-256 hash from blog post | 1 | |
| sha256 c2f4dc64aec4631540a568e88932b61daebbfb7e8281b812fa01b7215f9be9ea | SHA-256 hash from blog post | 1 | |
| sha256 78a82d93b4f580835f5823b85a3d9ee1f03a15ee6f0e01b4eac86252a7002981 | SHA-256 hash from blog post | 1 | |
| sha256 3427a90c8cb9af764445448648176e120ebc6af0a538158340cf6220de4d01b7 | SHA-256 hash from blog post | 1 | |
| sha256 fdba4191831a13debf9d8c0c940b0301c7b7f01d27f1b1c73ed3ceaa2db4103b | SHA-256 hash from blog post | 1 | |
| email [email protected] | Email indicator from blog post | 1 | |
| ipv4 207.90.194.2 | IP address indicator from blog post | 1 | |
| sha1 8daaa2003784a92f4761ed3c9d5560ef8cf4bffa | SHA-1/commit-like hash from blog post | 1 | |
| md5 b604b21749a396111bb111d46d97b1c4 | MD5 hash from blog post | 1 | |
| domain git-tanstack.com | Network indicator from blog post | 1 | |
| domain filev2.getsession.org | Network indicator from blog post | 1 | |
| domain 169.254.169.254 | Network indicator from blog post | 1 | |
| sha256 ce7e4199506959fd7a71b64209b2c07b9c82e53a946aa7d78298dc9249230d01 | SHA-256 hash from blog post | 1 | |
| sha1 79ac49eedf774dd4b0cfa308722bc463cfe5885c | SHA-1/commit-like hash from blog post | 1 | |
| domain 82.221.101.203 | Network indicator from blog post | 1 | |
| ipv4 82.221.101.203 | IP address indicator from blog post | 1 | |
| sha256 263df2348f54f1f4980542a41f69d77b085fb28091a95979ba7f0e9f3d0da861 | SHA-256 hash from blog post | 1 | |
| email [email protected] | Email indicator from blog post | 2 | |
| domain 172.86.73.132 | Network indicator from blog post | 1 | |
| ipv4 172.86.73.132 | IP address indicator from blog post | 1 | |
| sha256 86d17961e9662c53e1fb61701388b7c741bf79c093061df968a3e53c829dcb16 | SHA-256 hash from blog post | 1 | |
| email [email protected] | Email indicator from blog post | 1 | |
| email [email protected] | Email indicator from blog post | 1 | |
| domain paidgirl.site | Operator-controlled origin allow-listed in common-tg-service auth guard | 0 | |
| domain cms.paidgirl.site | ams-ssk deployment serving folders/:folder/files/download-all consumed by common-tg-service | 1 | |
| domain helper-thge.onrender.com | Attribution-laundering HTTP relay; used by common-tg-service on 403/495 responses | 1 | |
| domain promoteclients2.glitch.me | Operator host leaked in ams-ssk Swagger DTO; sequential staging (promoteClients2) | 0 | |
| domain zomcall.netlify.app | Allowed origin in common-tg-service auth guard | 0 | |
| domain report-upi.netlify.app | Allowed origin; names the UPI/India targeting | 0 | |
| email [email protected] | Hardcoded 2FA recovery email implanted on every hijacked Telegram account | 1 | |
| email [email protected] | Operator npoint.io account credentials committed in npoint.service.js | 0 | |
| email [email protected] | npm publisher email for shetty123 (publisher of both packages) | 0 | |
| ipv4 31.97.59.2 | Operator IP allow-listed in common-tg-service auth guard | 0 | |
| ipv4 148.230.84.50 | Operator IP allow-listed in common-tg-service auth guard | 0 | |
| ipv4 13.228.225.19 | Operator IP allow-listed in common-tg-service auth guard | 0 | |
| ipv4 18.142.128.26 | Operator IP allow-listed in common-tg-service auth guard | 0 | |
| ipv4 54.254.162.138 | Operator IP allow-listed in common-tg-service auth guard | 0 | |
| sha1 5061bc9611e31a48a8085cfab4cb875a6cc633ec | common-tg-service-1.3.207.tgz npm tarball | 0 | |
| sha1 80da04770a779330803bdd00d00a354adc12859a | ams-ssk-1.0.33.tgz npm tarball | 0 | |
| domain 152.67.0.53 | Network indicator from blog post | 1 | |
| ipv4 152.67.0.53 | IP address indicator from blog post | 1 | |
| sha256 e2fda5aa8397799669f29258f69e803cf05d322c1d93269eef6754ca024c3865 | SHA-256 hash from blog post | 1 | |
| sha256 3071422c3294e7b61cb490c57c48c8dea569bacf12e57a078293b6547d7586d3 | SHA-256 hash from blog post | 1 | |
| sha256 56070a9d8de0c0ffb1ec5c309953cf4679432df5a78df9aeb020fbb73d2be9fb | SHA-256 hash from blog post | 1 | |
| sha256 5f5852b5f604369945118937b058e49064612ac69826e0adadca39a357dfb5b1 | SHA-256 hash from blog post | 1 | |
| sha256 d2815d425ae08cc627f1db69009442165f8bbc64b7e9157e2ff9d7aab02094d4 | SHA-256 hash from blog post | 1 | |
| sha256 8046a11187c135da6959862ff3846e99ad15462d2ec8a2f77a30ad53ebd5dcf2 | SHA-256 hash from blog post | 1 | |
| sha256 2d4e21d2e78d0868ce7894487e67c67f929d8d81d78c5b07a3ad225b13eae890 | SHA-256 hash from blog post | 1 | |
| sha1 0a3dd44d361c34cd9036eeb3f49601160a636648 | SHA-1/commit-like hash from blog post | 1 | |
| email [email protected] | Email indicator from blog post | 1 | |
| email [email protected] | Email indicator from blog post | 1 | |
| email [email protected] | Spoofed git commit author identity used to plant the binary dropper and blend with AI-assistant automation. Also seen across the Shai-Hulud / Mini Shai-Hulud worm family. | 3 | |
| domain franki.requestcatcher.com | Network indicator from blog post | 1 | |
| ipv4 169.254.169.254 | AWS IMDS endpoint queried for cloud credentials | 3 | |
| email [email protected] | Email indicator from blog post | 1 | |
| ipv4 18.208.244.120 | IP address indicator from blog post | 1 | |
| md5 0123456789abcdef0123456789abcdef | MD5 hash from blog post | 1 | |
| domain audit.checkmarx.cx | Network indicator from blog post | 1 | |
| ipv4 94.154.172.43 | IP address indicator from blog post | 1 | |
| sha256 18f784b3bc9a0bcdcb1a8d7f51bc5f54323fc40cbd874119354ab609bef6e4cb | SHA-256 hash from blog post | 1 | |
| sha256 8605e365edf11160aad517c7d79a3b26b62290e5072ef97b102a01ddbb343f14 | SHA-256 hash from blog post | 1 | |
| sha1 de0fac2e4500dabe0009e67214ff5f5447ce83dd | SHA-1/commit-like hash from blog post | 2 | |
| sha1 bbbca2ddaa5d8feaa63e36b76fdaad77386f024f | SHA-1/commit-like hash from blog post | 2 | |
| ipv4 0.0.0.0 | IP address indicator from blog post | 1 | |
| email [email protected] | Email indicator from blog post | 1 | |
| domain 204.10.194.247 | Network indicator from blog post | 1 | |
| ipv4 204.10.194.247 | C2 server (AS206216 Advin Services LLC, Nurnberg DE). WebSocket relay on port 9877, HTTP API on port 8765. Shared across all forge-jsx/forge-jsxy/forge-jsx4 waves. | 1 | |
| sha256 4cb96c3b033c1aaf7b3d0fe54749058f14d4d914947a6d6d430aca108a7daa5a | SHA-256 of forge-jsx (Wave 1) | 1 | |
| email [email protected] | npm account email for johntaohunter, publisher of @johntaohunter/forge-jsx | 1 | |
| email [email protected] | npm account email for johnceballos0716, publisher of forge-jsx (Wave 1) | 1 | |
| domain api-sub.jrodacooker.dev | Earlier C2 domain for js-logger-pack, DNS since removed | 1 | |
| domain huggingface.co | Network indicator from blog post | 1 | |
| ipv4 195.201.194.107 | WebSocket + HTTP C2 server on port 8010. Hetzner, DE, AS24940. Secondary hostname: copilot-ai.whisdev.org. | 1 | |
| sha256 a49eee6b6db9da14db46587b68bf1d8a80976812f629bf3e100ac6ba83cf8490 | SHA-256 hash from blog post | 1 | |
| sha256 6ce3b22b07fd5aef1dd77237334d80718601e4e02a706485572d3dda8993a4e3 | SHA-256 hash from blog post | 1 | |
| sha256 571533a643e67c38087f4da8cce0d3dc14670a52403717e4943433d392860a7f | SHA-256 hash from blog post | 1 | |
| sha256 585c5ab1fea06bed4956e34ffd6d6b576122addd34d252b163ae0801098e9eaf | SHA-256 hash from blog post | 1 | |
| sha256 9f0a7174f9537bdbf63fe2329cea9a14198076180390af9f43a0e5b5c7c46912 | SHA-256 hash from blog post | 1 | |
| sha256 e35801137cd09fa02aa996145d18ec68d67d71db9810f2608a6285ee1c08b054 | SHA-256 hash from blog post | 1 | |
| sha256 df45bbac7695f0edad3edde36904f2722f2af761887744a2f1d65df705d28dc6 | SHA-256 hash from blog post | 1 | |
| sha256 43c93c609d48b6cb4f1275c285b5e6960ef74e7f5811b442e3c1038d49128d73 | SHA-256 hash from blog post | 1 | |
| sha256 dbbc31c641c2f1b9a867e745c30dda27dff2db7d91f9faddcf08a504ca2a9d11 | SHA-256 hash from blog post | 0 | |
| sha1 b0a0c8779961bcce1851d35125a7b48fc6ec7d5c | SHA-1/commit-like hash from blog post | 0 | |
| email [email protected] | npm publisher account jpeek868, author of js-logger-pack. Part of jpeek account rotation cluster (jpeek868/886/895). DPRK Famous Chollima. | 1 | |
| domain xienztiavkygvacpqzgr.supabase.co | Network indicator from blog post | 1 | |
| domain ndfcioahsbgsjmulpjgt.supabase.co | Network indicator from blog post | 1 | |
| sha256 4600db4fc30fb6ffa68deed4a25679e674bb3a3e8dae31f3dfc83bea0d757a8f | SHA-256 hash from blog post | 1 | |
| sha256 2e131f47090516e5a60553aa40d46823e08162390c1d6deb075cf317f00309f7 | SHA-256 hash from blog post | 1 | |
| email [email protected] | Email indicator from blog post | 1 | |
| domain 64.227.183.144 | Network indicator from blog post | 1 | |
| ipv4 64.227.183.144 | IP address indicator from blog post | 1 | |
| email [email protected] | Email indicator from blog post | 1 | |
| domain cloudflareinsights.vercel.app | Network indicator from blog post | 1 | |
| domain cloudflarefirewall.vercel.app | Network indicator from blog post | 1 | |
| sha256 55bee3abfa26a78989baae1053a778d3b4a984d5451621a851211a45fe2a82b9 | SHA-256 hash from blog post | 1 | |
| sha256 02a00a158ceedaaf7a4bf53002a74d60339d4668d463831fe218905816b72e07 | SHA-256 hash from blog post | 1 | |
| sha256 9d2037fc0ad9ada672d30e17a9496cbde392c5093a9fde0b8f16d28e2e0c50c7 | SHA-256 hash from blog post | 1 | |
| sha256 7bff4518f4d49ddf3d04d8167a6f5f17aed9b3703290f65cf71c61ea61f0a7bc | SHA-256 hash from blog post | 1 | |
| sha256 aa36d4bee44ee1d35af0e211e8cca957044c782b177787b1181d18d6d6323037 | SHA-256 hash from blog post | 1 | |
| sha256 f4914c528cf92a7e97ac3b24138afb86b4cd9db6960d92ffbbff36a1fb90ead9 | SHA-256 hash from blog post | 1 | |
| sha256 fc095d3e6a613e27d267d80b448101ef78b02ec07dd3993c734202839015fb54 | SHA-256 hash from blog post | 1 | |
| sha256 86f60a2196c3d1355efdcfee41f1549c30c6081bf6c106d11e44a64691f8ebd3 | SHA-256 hash from blog post | 1 | |
| email [email protected] | Email indicator from blog post | 1 | |
| email [email protected] | Email indicator from blog post | 1 | |
| email [email protected] | Email indicator from blog post | 0 | |
| domain telemetry.api-monitor.com | Network indicator from blog post | 1 | |
| ipv4 143.198.237.25 | IP address indicator from blog post | 1 | |
| ipv4 23.236.116.77 | IP address indicator from blog post | 1 | |
| ipv4 209.34.235.18 | IP address indicator from blog post | 1 | |
| sha256 4dbecce9ab3cf1739a9b90f9a9f304a3a44f69332320ae0753c129cf078e6f34 | SHA-256 hash from blog post | 1 | |
| sha256 513eed96cabdea495a7141666eb77216dee6f0754ef643917346a47a2ff61476 | SHA-256 hash from blog post | 1 | |
| sha256 834b6e5db5710b9308d0598978a0148a9dc832361f1fa0b7ad4343dcceba2812 | SHA-256 hash from blog post | 1 | |
| domain 89.36.224.5 | Network indicator from blog post | 1 | |
| domain datahub.ink | Network indicator from blog post | 1 | |
| domain cloud-sync.online | Network indicator from blog post | 1 | |
| domain byte-io.us | Network indicator from blog post | 1 | |
| domain api.ipify.org | Network indicator from blog post | 1 | |
| domain ipinfo.io | Legitimate service abused by Epsilon Stealer for victim geolocation (GET /json). Also used for sandbox IP blacklist check. | 1 | |
| ipv4 89.36.224.5 | IP address indicator from blog post | 1 | |
| ipv4 208.115.220.17 | IP address indicator from blog post | 1 | |
| sha256 0a8ab3d16b12d3a453ee5a3208fe04744ad54514ef8ea27bb8fe32679efad270 | SHA-256 hash from blog post | 1 | |
| sha256 0b028b781950641818800fee2b4bf68e4ef2bcee53fe71a21755275ba108783d | SHA-256 hash from blog post | 1 | |
| sha1 dfd224461edb06c556ee0d5677bd78ddda80b910 | SHA-1/commit-like hash from blog post | 1 | |
| domain prod.universitecentrale.net | Network indicator from blog post | 1 | |
| domain urlvoelpilswwxkiosey.supabase.co | Network indicator from blog post | 1 | |
| domain chat.universitecentrale.net | Network indicator from blog post | 1 | |
| ipv4 146.0.0.0 | IP address indicator from blog post | 1 | |
| sha1 333e5b7c412736685b3c296a58663a7763744949 | SHA-1/commit-like hash from blog post | 1 | |
| sha1 4c385d4376314b24793b6b4e3526783f72383667 | SHA-1/commit-like hash from blog post | 1 | |
| sha1 2a6e3839766d215e40785f6b277dc2a34d4e2f71 | SHA-1/commit-like hash from blog post | 1 | |
| sha1 442158353951337678587c236567276e767a3d39 | SHA-1/commit-like hash from blog post | 1 | |
| sha1 3f3922326c646a2d2f78703073224a3e4a366761 | SHA-1/commit-like hash from blog post | 1 | |
| sha1 3c335f732e6f5c3b48665745325c572b25724a60 | SHA-1/commit-like hash from blog post | 1 | |
| sha1 2968623b3a4c275d544149674522663559617b74 | SHA-1/commit-like hash from blog post | 1 | |
| sha1 5551307d753c3c5a59333c25525f2f446d2a213e | SHA-1/commit-like hash from blog post | 0 | |
| sha1 3d69675671616a6426515e7cc2a32e4ac2a32c33 | SHA-1/commit-like hash from blog post | 0 | |
| sha1 c2a32a743329604e5633767d4e7e567a48246476 | SHA-1/commit-like hash from blog post | 0 | |
| domain admondtamang.com.np | Network indicator from blog post | 1 | |
| domain gist.github.com | Network indicator from blog post | 1 | |
| domain gist.githubusercontent.com | Network indicator from blog post | 1 | |
| sha256 40aa5d412a50db79a814ac5ad65237745727cb4777843d66a760f64285a5a3e6 | SHA-256 hash from blog post | 1 | |
| sha1 1c5d51c2002f452a4dd58a1a73a9dd90a7fe0297 | SHA-1/commit-like hash from blog post | 1 | |
| md5 814132e794e5d007e9b8ebd223a9494f | MD5 hash from blog post | 1 | |
| md5 0c0fc7a0c23cdb5e1c8f66b208053ed6 | MD5 hash from blog post | 1 | |
| email [email protected] | Email indicator from blog post | 1 | |
| ipv4 144.31.107.231 | IP address indicator from blog post | 1 | |
| email [email protected] | Email indicator from blog post | 1 | |
| domain jsonkeeper.com | Network indicator from blog post | 1 | |
| domain 216.126.237.71 | Network indicator from blog post | 1 | |
| ipv4 216.126.237.71 | IP address indicator from blog post | 2 | |
| ipv4 216.126.229.166 | IP address indicator from blog post | 1 | |
| ipv4 216.126.227.239 | IP address indicator from blog post | 1 | |
| sha256 b5cca27ca1d792bd8c46b83fccfa4e5ba38916eb78877a19cbb39392ce98cc39 | SHA-256 hash from blog post | 1 | |
| md5 a36adbc35e69b22acbf9f834a0deb286 | MD5 hash from blog post | 1 | |
| email [email protected] | Email indicator from blog post | 1 | |
| domain sfrclak.com | Network indicator from blog post | 1 | |
| ipv4 142.11.206.73 | IP address indicator from blog post | 1 | |
| sha256 5bb67e88846096f1f8d42a0f0350c9c46260591567612ff9af46f98d1b7571cd | SHA-256 hash from blog post | 1 | |
| sha256 59336a964f110c25c112bcc5adca7090296b54ab33fa95c0744b94f8a0d80c0f | SHA-256 hash from blog post | 1 | |
| sha256 fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf | SHA-256 hash from blog post | 1 | |
| sha256 e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09 | SHA-256 hash from blog post | 1 | |
| email [email protected] | Email indicator from blog post | 1 | |
| email [email protected] | Email indicator from blog post | 1 | |
| email [email protected] | Email indicator from blog post | 1 | |
| email [email protected] | Email indicator from blog post | 1 | |
| domain 83.142.209.203 | Network indicator from blog post | 1 | |
| ipv4 83.142.209.203 | IP address indicator from blog post | 1 | |
| sha256 7321caa303fe96ded0492c747d2f353c4f7d17185656fe292ab0a59e2bd0b8d9 | SHA-256 hash from blog post | 1 | |
| sha256 cd08115806662469bbedec4b03f8427b97c8a4b3bc1442dc18b72b4e19395fe3 | SHA-256 hash from blog post | 1 | |
| email [email protected] | Email indicator from blog post | 1 | |
| domain models.litellm.cloud | Network indicator from blog post | 1 | |
| domain checkmarx.zone | Network indicator from blog post | 1 | |
| sha256 d2a0d5f564628773b6af7b9c11f6b86531a875bd2d186d7081ab62748a800ebb | SHA-256 hash from blog post | 1 | |
| sha1 9343aeefca37aa49a6ea54397d7615adae5c72c9 | SHA-1/commit-like hash from blog post | 1 | |
| domain malicanbur.pro | Network indicator from blog post | 1 | |
| ipv4 31.220.48.155 | IP address indicator from blog post | 1 | |
| ipv4 173.211.46.22 | IP address indicator from blog post | 1 | |
| sha256 0be2375362227f846c56c4de2db4d3113e197f0c605c297a7e0e0c154e94464e | SHA-256 hash from blog post | 1 | |
| sha256 5196c3a832897e30c26da768379750bd3c886890e74d0f28a8921bbd19b553fc | SHA-256 hash from blog post | 1 | |
| email [email protected] | Email indicator from blog post | 1 | |
| domain discord.com | Network indicator from blog post | 2 | |
| sha256 3733f0add545e5537a7d3171a132df51e0b4105aebe85db35dbe868a056d3d24 | SHA-256 hash from blog post | 1 | |
| sha256 62ee164b9b306250c1172583f138c9614139264f889fa99614903c12755468d0 | SHA-256 hash from blog post | 1 | |
| sha256 a3894003ad1d293ba96d77881ccd2071446dc3f65f434669b49b3da92421901a | SHA-256 hash from blog post | 1 | |
| email [email protected] | Email indicator from blog post | 1 | |
| domain webhook.site | Network indicator from blog post | 2 | |
| sha256 bc18414929992e8e8d2211f9c51ebc7241294a1af3cfdbdd5ca417974b2dac0b | SHA-256 hash from blog post | 1 | |
| sha256 46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09 | SHA-256 hash from blog post | 1 | |
| email [email protected] | Email indicator from blog post | 1 | |
| email [email protected] | Email indicator from blog post | 1 | |
| sha1 fc4a4858bafef54d1b1d7697bfb5c52f4c166976 | SHA-1/commit-like hash from blog post | 1 | |
| md5 19111111111111111111111111111111 | MD5 hash from blog post | 1 | |
| wallet 0x66a9893cC07D91D95644AEDD05D03f95e1dBA8Af | Cryptocurrency wallet address from blog post | 1 | |
| wallet 0x10ed43c718714eb63d5aa57b78b54704e256024e | Cryptocurrency wallet address from blog post | 1 | |
| wallet 0x13f4ea83d0bd40e75c8222255bc855a974568dd4 | Cryptocurrency wallet address from blog post | 1 | |
| wallet 0x1111111254eeb25477b68fb85ed929f73a960582 | Cryptocurrency wallet address from blog post | 1 | |
| wallet 0xd9e1ce17f2641f24ae83637ab66a2cca9c378b9f | Cryptocurrency wallet address from blog post | 1 | |
| wallet 0xfc4a4858bafef54d1b1d7697bfb5c52f4c166976 | Cryptocurrency wallet address from blog post | 1 | |
| wallet 0x66a9893cc07d91d95644aedd05d03f95e1dba8af | Cryptocurrency wallet address from blog post | 1 | |
| wallet 0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976 | Cryptocurrency wallet address from blog post | 1 | |
| wallet 0xa29eeFb3f21Dc8FA8bce065Db4f4354AA683c024 | Cryptocurrency wallet address from blog post | 1 | |
| wallet 0x40C351B989113646bc4e9Dfe66AE66D24fE6Da7B | Cryptocurrency wallet address from blog post | 1 | |
| wallet 0x30F895a2C66030795131FB66CBaD6a1f91461731 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0x57394449fE8Ee266Ead880D5588E43501cb84cC7 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0xCd422cCC9f6e8f30FfD6F68C0710D3a7F24a026A | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0x7C502F253124A88Bbb6a0Ad79D9BeD279d86E8f4 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0xe86749d6728d8b02c1eaF12383c686A8544de26A | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0xa4134741a64F882c751110D3E207C51d38f6c756 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0xD4A340CeBe238F148034Bbc14478af59b1323d67 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0xB00A433e1A5Fc40D825676e713E5E351416e6C26 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0xd9Df4e4659B1321259182191B683acc86c577b0f | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0x0a765FA154202E2105D7e37946caBB7C2475c76a | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0xE291a6A58259f660E8965C2f0938097030Bf1767 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0xe46e68f7856B26af1F9Ba941Bc9cd06F295eb06D | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0xa7eec0c4911ff75AEd179c81258a348c40a36e53 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0x3c6762469ea04c9586907F155A35f648572A0C3E | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0x322FE72E1Eb64F6d16E6FCd3d45a376efD4bC6b2 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0x51Bb31a441531d34210a4B35114D8EF3E57aB727 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0x314d5070DB6940C8dedf1da4c03501a3AcEE21E1 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0x75023D76D6cBf88ACeAA83447C466A9bBB0c5966 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0x1914F36c62b381856D1F9Dc524f1B167e0798e5E | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0xB9e9cfd931647192036197881A9082cD2D83589C | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0xE88ae1ae3947B6646e2c0b181da75CE3601287A4 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0x0D83F2770B5bDC0ccd9F09728B3eBF195cf890e2 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0xe2D5C35bf44881E37d7183DA2143Ee5A84Cd4c68 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0xd21E6Dd2Ef006FFAe9Be8d8b0cdf7a667B30806d | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0x93Ff376B931B92aF91241aAf257d708B62D62F4C | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0x5C068df7139aD2Dedb840ceC95C384F25b443275 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0x70D24a9989D17a537C36f2FB6d8198CC26c1c277 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0x0ae487200606DEfdbCEF1A50C003604a36C68E64 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0xc5588A6DEC3889AAD85b9673621a71fFcf7E6B56 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0x3c23bA2Db94E6aE11DBf9cD2DA5297A09d7EC673 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0x5B5cA7d3089D3B3C6393C0B79cDF371Ec93a3fd3 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0x4Cb4c0E7057829c378Eb7A9b174B004873b9D769 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0xd299f05D1504D0B98B1D6D3c282412FD4Df96109 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0x241689F750fCE4A974C953adBECe0673Dc4956E0 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0xBc5f75053Ae3a8F2B9CF9495845038554dDFb261 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0x5651dbb7838146fCF5135A65005946625A2685c8 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0x5c9D146b48f664f2bB4796f2Bb0279a6438C38b1 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0xd2Bf42514d35952Abf2082aAA0ddBBEf65a00BA3 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0xbB1EC85a7d0aa6Cd5ad7E7832F0b4c8659c44cc9 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0x013285c02ab81246F1D68699613447CE4B2B4ACC | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0x97A00E100BA7bA0a006B2A9A40f6A0d80869Ac9e | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0x4Bf0C0630A562eE973CE964a7d215D98ea115693 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0x805aa8adb8440aEA21fDc8f2348f8Db99ea86Efb | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0xae9935793835D5fCF8660e0D45bA35648e3CD463 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0xB051C0b7dCc22ab6289Adf7a2DcEaA7c35eB3027 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0xf7a82C48Edf9db4FBe6f10953d4D889A5bA6780D | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0x06de68F310a86B10746a4e35cD50a7B7C8663b8d | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0x51f3C0fCacF7d042605ABBE0ad61D6fabC4E1F54 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0x49BCc441AEA6Cd7bC5989685C917DC9fb58289Cf | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0x7fD999f778c1867eDa9A4026fE7D4BbB33A45272 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0xe8749d2347472AD1547E1c6436F267F0EdD725Cb | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0x2B471975ac4E4e29D110e43EBf9fBBc4aEBc8221 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0x02004fE6c250F008981d8Fc8F9C408cEfD679Ec3 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0xC4A51031A7d17bB6D02D52127D2774A942987D39 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0xa1b94fC12c0153D3fb5d60ED500AcEC430259751 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0xdedda1A02D79c3ba5fDf28C161382b1A7bA05223 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0xE55f51991C8D01Fb5a99B508CC39B8a04dcF9D04 | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0x7a250d5630b4cf539739df2c5dacb4c659f2488d | Cryptocurrency wallet address from blog post | 0 | |
| wallet 0xe592427a0aece92de3edee1f18e0157c05861564 | Cryptocurrency wallet address from blog post | 0 | |
| sha256 863d274bbeb22ab969f742a06d89bdf0ababb99fdeb074a0fd9057f28b1ef257 | SHA-256 hash from blog post | 1 | |
| sha1 9066ceeb391d9c7ba6aba650109c2fa3f8e088eb | SHA-1/commit-like hash from blog post | 1 | |
| email [email protected] | Email indicator from blog post | 1 | |
| email [email protected] | Email indicator from blog post | 1 | |
| sha256 31204fbbc097677d518e1c01d88cf24b491ef29cc8f56d1ef2b81e5ccc8440e2 | SHA-256 hash from blog post | 1 | |
| sha256 c68e42f416f482d43653f36cd14384270b54b68d6496a8e34ce887687de5b441 | SHA-256 hash from blog post | 1 | |
| ipv4 206.214.129.67 | IP address indicator from blog post | 1 | |
| ipv4 8.152.163.60 | IP address indicator from blog post | 1 | |
| ipv4 13.60.183.44 | IP address indicator from blog post | 1 | |
| ipv4 13.60.0.0 | IP address indicator from blog post | 1 | |
| ipv4 13.63.255.255 | IP address indicator from blog post | 1 | |
| email [email protected] | Email indicator from blog post | 1 |