T1027
Obfuscated Files or Information
discovered 2025-09-16Wave 4 payload is an obfuscator.io-style single-line ~160 KB script using a custom lowercase-first base64 alphabet (abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=) PLUS a per-string RC4 layer. Static base64 decode of the string table only recovers primitives such as charCodeAt/fromCharCode; sensitive strings (C2, headers, file list) remain RC4-protected. This differs from Wave 3's WaCk/JScrambler string-array obfuscation.
Seen in packages
- npm @ctrl/tinycoloruses
- npm @zapier/zapier-sdkuses
- npm @asyncapi/specsuses
- npm @quick-start-soft/quick-markdown-printuses
- npm @quick-start-soft/quick-markdownuses
- npm @quick-start-soft/quick-remove-image-backgrounduses
- npm @quick-start-soft/quick-git-clean-markdownuses
- npm @quick-start-soft/quick-document-translatoruses
- npm @quick-start-soft/quick-markdown-imageuses
- npm @quick-start-soft/quick-task-refineuses
- npm @asyncapi/modelinauses
- npm posthog-react-nativeuses
- npm posthog-nodeuses
- npm @postman/secret-scanner-wasmuses
- npm @postman/csv-parseuses
- npm @postman/node-keytaruses
- npm @postman/tunnel-agentuses
- npm @postman/wdio-allure-reporteruses
- npm @postman/postman-mcp-cliuses
- npm @postman/mcp-ui-clientuses
- npm @postman/wdio-junit-reporteruses
- npm @postman/pm-bin-macos-arm64uses
- npm @postman/pm-bin-linux-x64uses
- npm @postman/aether-iconsuses
- pypi litellmuses
- pypi telnyxuses
- npm sjs-bigintegeruses
- npm sjs-lint-build1uses
- npm bjs-bigintegeruses
- npm bjs-lint-builderuses
- npm bjs-lint-buildersuses
- npm cjs-bigintegeruses
- npm ts-lint-buildsuses
- npm @bitwarden/cliuses
- pypi pytorch-lightninguses
- npm @antv/layout-wasmuses
- npm art-templateuses
- npm forge-jsxyuses
- npm forge-jsx4uses
- npm pino-zoduses
- npm zod-pinouses
- npm changiairportpromaxuses
- npm @redhat-cloud-services/patch-clientuses
- npm weavedb-sdkuses
- pypi gpt-pilotuses
- npm atomic-lockfileuses
- npm @mastra/coreuses
- npm easy-day-jsuses
- npm procwireuses
- npm @apexcraft/nano-keyuses
- npm @bytemend/mfebususes
- npm @chunklab/hexparseuses
- npm @zynkit/jwtbytesuses
- npm @petitcode/eb-retryuses
- npm @tinyfox/shapecheckuses
- npm @glitchpad/throttleruses
- npm @thymelab/logfxuses
- npm @briskforge/envcheckuses
- npm @lazyutil/dateruses
- npm @frostnode/waitforuses
- npm leo-sdkuses
- npm @immobiliarelabs/backstage-plugin-ldap-auth-backenduses
- npm @immobiliarelabs/backstage-plugin-gitlab-backenduses
- npm @immobiliarelabs/backstage-plugin-gitlabuses
- npm @immobiliarelabs/backstage-plugin-ldap-authuses
- npm @marketfront/headeruses
- npm @tqm-mfe/mainuses
Campaigns
- Shai-Huludattributed-to
- TeamPCPattributed-to
- big.js Typosquat SSH Backdoorattributed-to
- Mini Shai-Huludattributed-to
- art-template npm Supply Chain Compromiseattributed-to
- forge-jsx RATattributed-to
- Miasma: The Spreading Blightattributed-to
- IronWormattributed-to
- Atomic Archattributed-to
- @mastra npm Scope Takeoverattributed-to
- procwire / deltajohnsons Windows Dropperattributed-to
- wshu.net npm Credential-Stealer Campaignattributed-to
- oob-moika-tech-depconf-2026attributed-to