T1140
Deobfuscate/Decode Files or Information
discovered 2026-06-01XOR-decoding the C2 URL from endpointmap's _ep/_p byte arrays using a key derived from the helper package's own manifest name (Buffer.from('endpointmap').slice(0,8) = 'endpoint'); no key constant is stored.
View on MITRE ATT&CKSeen in packages
- npm @redhat-cloud-services/patch-clientuses
- npm weavedb-sdkuses
- npm @mastra/coreuses
- npm easy-day-jsuses
- npm procwireuses
- npm @immobiliarelabs/backstage-plugin-ldap-auth-backenduses
- npm paysafe-checkoutuses
- pypi paysafe-sdkuses
- go github.com/kaleidora/dnsub-scanning-tooluses
- nuget DependencyInjector.Coreuses
- npm @injectivelabs/sdk-tsuses
- npm tslint-confuses