url
/api/v1/events
discovered 2026-07-01
Wave 4 exfiltration path. Receives a gzip-compressed HTTPS POST carrying harvested credential-file contents, gated by a custom X-Secret header. The full C2 host is RC4+XOR-concealed in the payload and was NOT statically resolved — only the path is known. Detection artifact: outbound POST to /api/v1/events with an X-Secret header and gzip body from a workstation/CI agent during npm install.