T1140

Deobfuscate/Decode Files or Information

discovered 2026-06-01

XOR-decoding the C2 URL from endpointmap's _ep/_p byte arrays using a key derived from the helper package's own manifest name (Buffer.from('endpointmap').slice(0,8) = 'endpoint'); no key constant is stored.

View on MITRE ATT&CK

Seen in packages

npm @redhat-cloud-services/patch-clientuses
npm weavedb-sdkuses
npm @mastra/coreuses
npm easy-day-jsuses
npm procwireuses

Campaigns

Miasma: The Spreading Blightattributed-to
IronWormattributed-to
@mastra npm Scope Takeoverattributed-to
procwire / deltajohnsons Windows Dropperattributed-to