centralogger
centralogger is identified in the SafeDep analysis "Malicious dom-utils-lite npm SSH Backdoor via Supabase". dom-utils-lite and centralogger on npm inject attacker SSH keys into ~/.ssh/authorized_keys and exfiltrate server metadata to Supabase-hosted C2 infrastructure, granting persistent remote access.
discovered 2026-04-14
Threat types
persistencedata_exfiltrationc2_agent
Malicious versions
- 1.0.5
- 1.0.6
- 1.0.7
- 1.0.8
- 1.0.9
Campaigns
Indicators
- domainxienztiavkygvacpqzgr.supabase.cocommunicates-with
- domainndfcioahsbgsjmulpjgt.supabase.cocommunicates-with
- sha2564600db4fc30fb6ffa68deed4a25679e674bb3a3e8dae31f3dfc83bea0d757a8findicates
- sha2562e131f47090516e5a60553aa40d46823e08162390c1d6deb075cf317f00309f7indicates
- email[email protected]exfiltrates-to
Techniques
- ttpT1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
- ttpT1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttpT1041 Exfiltration Over C2 Channeluses
- ttpT1552.004 Unsecured Credentials: Private Keysuses
- ttpT1105 Ingress Tool Transferuses
- ttpT1071.001 Application Layer Protocol: Web Protocolsuses
- ttpT1102 Web Serviceuses
- ttpT1546 Event Triggered Executionuses
