Masquerading
discovered 2024-12-11Packages masquerade as an internal 'Platform Engineering Team' library set. Constant scope-parameterized metadata fingerprint: README marker 'Internal package — Platform Engineering Team'; author '<Scope> Platform Engineering <platform@<scope>.io>'; repository git+https://github.<scope>.io/platform/<pkg>.git; bugs https://jira.<scope>.io/projects/PLATFORM; homepage https://docs.<scope>.io/platform/<pkg>; fake internal registry lure registry=https://npm.<scope>.io; telemetry cover story to telemetry.<scope>.io; descriptions from a fixed pool (e.g. 'Internal structured logger ... remote drain support', 'Internal configuration loader with env, vault and remote config support'). A decoy dist/index.js require()s a ../src/index.js absent from the tarball, so the library is non-functional and only the postinstall executes.
Seen in packages
- npm themes-vendoruses
- npm x509-escapinguses
- npm keycloak-serveruses
- npm module-stubuses
- npm postject-copyuses
- npm micrometer-docsuses
- npm orbit-playroomuses
- npm weekendfeuses
- npm chrome-api-utilsuses
- npm grafana-sentry-datasourceuses
- npm @patternfly-v5/patternflyuses
- npm electron-builder-13uses
- npm graphql.vscode-graphql-syntaxuses
- npm mattermost-cloudnative-bootstrapperuses
- npm nyc-configuses
- npm slf4j-api-jsuses
- npm express-cookie-parseruses
- npm tensorflowjsuses
- pypi bitensoruses
- pypi bittenso-cliuses
- pypi qbittensoruses
- pypi bittensouses
- npm hyatt-residential-rosteruses
- npm hyatt-albumuses
- npm hyatt-avataruses
- npm @Schedaero/shareduses
- npm pino-sdk-v2uses
- npm react-refresh-updateuses
- npm oc-aa-module-clientuses
- npm @wame/ngx-adfsuses
- npm @the-coca-cola-company/ngps-global-common-utilsuses
- npm cr-static-shared-componentsuses
- npm @ceeferenderer/fe-renderer-sdkuses
- npm express-session-jsuses
- npm strapi-plugin-cronuses
- npm strapi-plugin-configuses
- npm strapi-plugin-serveruses
- npm strapi-plugin-databaseuses
- npm strapi-plugin-coreuses
- npm strapi-plugin-hooksuses
- npm strapi-plugin-monitoruses
- npm strapi-plugin-eventsuses
- npm strapi-plugin-loggeruses
- npm strapi-plugin-healthuses
- npm strapi-plugin-syncuses
- npm strapi-plugin-seeduses
- npm strapi-plugin-localeuses
- npm strapi-plugin-formuses
- npm strapi-plugin-notifyuses
- npm strapi-plugin-apiuses
- npm strapi-plugin-sitemap-genuses
- npm strapi-plugin-nordica-toolsuses
- npm strapi-plugin-nordica-syncuses
- npm strapi-plugin-nordica-cmsuses
- npm strapi-plugin-nordica-apiuses
- npm strapi-plugin-nordica-reconuses
- npm strapi-plugin-nordica-stageuses
- npm strapi-plugin-nordica-vhostuses
- npm strapi-plugin-nordica-deepuses
- npm strapi-plugin-nordica-liteuses
- npm strapi-plugin-nordicauses
- npm strapi-plugin-finsevenuses
- npm strapi-plugin-hextestuses
- npm strapi-plugin-cms-toolsuses
- npm strapi-plugin-content-syncuses
- npm strapi-plugin-debug-toolsuses
- npm strapi-plugin-health-checkuses
- npm strapi-plugin-guardarian-extuses
- npm strapi-plugin-advanced-uuiduses
- npm strapi-plugin-blurhashuses
- npm sjs-bigintegeruses
- npm sjs-lint-build1uses
- npm bjs-bigintegeruses
- npm bjs-lint-builderuses
- npm bjs-lint-buildersuses
- npm cjs-bigintegeruses
- npm ts-lint-buildsuses
- npm @genoma-ui/componentsuses
- npm rrweb-v1uses
- npm @needl-ai/commonuses
- npm changiairportpromaxuses
- npm @cloudplatform-single-spa/billinguses
- npm @sber-ecom-core/sberpay-widgetuses
- npm @emcd-vue/authuses
- npm @emcd-vue/loansuses
- npm weavedb-sdkuses
- pypi gpt-pilotuses
- npm atomic-lockfileuses
- npm @mastra/coreuses
- npm easy-day-jsuses
- npm @withgoogle/stitch-sdkuses
- npm @zynkit/jwtbytesuses
- npm @petitcode/eb-retryuses
- npm @briskforge/envcheckuses
- npm @lazyutil/dateruses
- npm @frostnode/waitforuses
- npm leo-sdkuses
- npm @marketfront/headeruses
- npm @tqm-mfe/mainuses
Campaigns
- No Specific Campaignattributed-to
- Enterprise Dependency Confusionattributed-to
- Bittensor Typosquat Campaignattributed-to
- Strapi Plugin C2 Campaignattributed-to
- big.js Typosquat SSH Backdoorattributed-to
- oob-moika-tech-depconf-2026attributed-to
- IronWormattributed-to
- Miasma: The Spreading Blightattributed-to
- Atomic Archattributed-to
- @mastra npm Scope Takeoverattributed-to
- wshu.net npm Credential-Stealer Campaignattributed-to