wshu.net
SUPPORTING signal, NOT a unique attacker indicator. wshu.net is a PUBLIC DISPOSABLE-EMAIL provider (verified on disposable-email blocklists: disposable-email-domains, fakefilter, MISP warninglists, authgear free-email list, and in unrelated apps' temp-mail signup logs), so the domain alone catches many unrelated throwaway accounts and is a noisy pivot. The campaign uses the per-scope burner pattern <scope>-<6rand>@wshu.net across all 12 scopes; treat that pattern as corroborating evidence only when combined with the durable code fingerprint (shared runPrepare/onInstall javascript-obfuscator wrapper + byte-identical/near-identical payload blobs + the 2026-06-04 publish burst), not as a standalone domain pivot. The earlier noon-contracts npm package (publisher [email protected], 2026-05-10) shares only this disposable-email provider, not payload or code.