malware npm

changiairportpromax

discovered 2026-05-27

Wave 1 package from terminal3airport. Contains Scramjet-based web proxy (Lucide Proxy) with popunder ads, external ad/tracking scripts, and Google Analytics. Disguised as tutoring website.

Threat types

other

Malicious versions

1.1.3

Indicators

domain 21baseballacademy.comcommunicates-with
domain abdct.comcommunicates-with
domain woofbeginner.comcommunicates-with
email [email protected]communicates-with
github_repo lucideproxy/svgcommunicates-with

Techniques

ttp T1027 Obfuscated Files or Informationuses
ttp T1036 Masqueradinguses
ttp Automated Package Registry Abuseuses
ttp T1608.004 Stage Capabilities: Drive-By Targetuses
ttp Service Worker Fetch Interceptionuses

Read the full analysis →