url

/api/v1/events

discovered 2026-07-01

Wave 4 exfiltration path. Receives a gzip-compressed HTTPS POST carrying harvested credential-file contents, gated by a custom X-Secret header. The full C2 host is RC4+XOR-concealed in the payload and was NOT statically resolved — only the path is known. Detection artifact: outbound POST to /api/v1/events with an X-Secret header and gzip body from a workstation/CI agent during npm install.

Campaigns

Linked packages

Read the full analysis →