الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (6e95d04cb7977b9da45686f61f19767b33fb3e4fd1af5081b1a27acfd9ee9337) The OpenSSF Package Analysis project identified 'housecallpro' @ 1.0.1 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity.
الإصدارات المتأثرة
1.0.1
المراجع
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: google-open-source-security (5e1924464368f0c5816ee84e000cc47017f44045140feafbbc9e685d847ed5a5) This package was compromised as part of the "Mini Shai-Hulud is back" worm by the TeamPCP threat actor. The package will steal credentials and then propogate it to every package it has access to. The package also attempts to remain persistent.
الإصدارات المتأثرة
1.0.4, 1.0.5
🚨 مؤشرات الاختراق (IOCs)
Domains: git-tanstack.com, filev2.getsession.org, api.masscan.cloud, seed1.getsession.org
المراجع
https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem
https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack
https://tanstack.com/blog/npm-supply-chain-compromise-postmortem
https://snyk.io/blog/tanstack-npm-packages-compromised/
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: google-open-source-security (5e1924464368f0c5816ee84e000cc47017f44045140feafbbc9e685d847ed5a5) This package was compromised as part of the "Mini Shai-Hulud is back" worm by the TeamPCP threat actor. The package will steal credentials and then propogate it to every package it has access to. The package also attempts to remain persistent.
الإصدارات المتأثرة
All versions < 0.1.4, 0.1.5
🚨 مؤشرات الاختراق (IOCs)
Domains: git-tanstack.com, filev2.getsession.org, api.masscan.cloud, seed1.getsession.org
المراجع
https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem
https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack
https://tanstack.com/blog/npm-supply-chain-compromise-postmortem
https://snyk.io/blog/tanstack-npm-packages-compromised/
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: google-open-source-security (5e1924464368f0c5816ee84e000cc47017f44045140feafbbc9e685d847ed5a5) This package was compromised as part of the "Mini Shai-Hulud is back" worm by the TeamPCP threat actor. The package will steal credentials and then propogate it to every package it has access to. The package also attempts to remain persistent.
الإصدارات المتأثرة
2.4.6
🚨 مؤشرات الاختراق (IOCs)
Domains: git-tanstack.com, filev2.getsession.org, api.masscan.cloud, seed1.getsession.org
المراجع
https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem
https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack
https://tanstack.com/blog/npm-supply-chain-compromise-postmortem
https://snyk.io/blog/tanstack-npm-packages-compromised/
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: google-open-source-security (5e1924464368f0c5816ee84e000cc47017f44045140feafbbc9e685d847ed5a5) This package was compromised as part of the "Mini Shai-Hulud is back" worm by the TeamPCP threat actor. The package will steal credentials and then propogate it to every package it has access to. The package also attempts to remain persistent.
الإصدارات المتأثرة
All versions < 0.10.1
🚨 مؤشرات الاختراق (IOCs)
Domains: git-tanstack.com, filev2.getsession.org, api.masscan.cloud, seed1.getsession.org
المراجع
https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem
https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack
https://tanstack.com/blog/npm-supply-chain-compromise-postmortem
https://snyk.io/blog/tanstack-npm-packages-compromised/
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (1a650b67b76184573f147a7b286249b1de734cfa85647aea9a9bea3284e155f8) The OpenSSF Package Analysis project identified 'hedwig-tsconfig' @ 99.8.1 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. - The package executes one or more commands associated with malicious behavior.
الإصدارات المتأثرة
99.8.1
المراجع
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: kam193 (d545ff7c3c178485cfb49d0028c4c808e67d0ee0fddcb4b7b195c943bb07d888) The package pretends to be a fork of a legitimate Rust library and uses the identity of the original authors. During usage, the obfuscated code targets information held by Kanji/Iru security tools and exfiltrates basic informations to typosquated domain. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-05-apkeep Reasons (based on the campaign): - The package contains code to exfiltrate basic data from the system, like IP or username. It has a limited risk. - obfuscation - impersonation - action-hidden-in-lib-usage
الإصدارات المتأثرة
All versions < 0.1.0, 1.0.1
🚨 مؤشرات الاختراق (IOCs)
Domains: pureapk.co, api.pureapk.co
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (a5df536f40d00940affdae35145eefe56cf78dc9302c4b2853776a4ae630182b) The OpenSSF Package Analysis project identified 'cplace-bmw-emt-mvp' @ 2.0.4 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity.
الإصدارات المتأثرة
2.0.4
المراجع
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: kam193 (13911c4c1e0334b4e4d972e3b3256a08f8991d3935d74086c252ed085d3984a0) The package hides code to download and execute a next-stage payload, which then communicates with C2 and listens for next code parts. In the analyzed version, the malicious code was not triggered. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2025-11-spellcheckers Reasons (based on the campaign): - obfuscation - Downloads and executes a remote malicious script. - The package contains code to execute remote commands (probably limited to a specific set) on the victim's machine.
الإصدارات المتأثرة
1.0.0
🚨 مؤشرات الاختراق (IOCs)
Domains: dothebest.store, searchbox.info, updatenet.work
C2 URLs: https://dothebest.store/allow/inform.php, https://dothebest.store/refresh.php, https://searchbox.info/prefer.php, https://updatenet.work/settings/history.php, https://dothebest.store/allow, https://dothebest.store/k/bag.php
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (ae48d96d56721a03c7dc73f65481de029c854bb43a0be30983efeaa8a136c8c7) The OpenSSF Package Analysis project identified 'crypto-javascri' @ 1.3.6 (npm) as malicious. It is considered malicious because: - The package executes one or more commands associated with malicious behavior.
الإصدارات المتأثرة
1.3.6
المراجع
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (a8bd78a0c0e2baca560a44d5047bc0414e53cea80e7a97f0d37a109025bba99f) The OpenSSF Package Analysis project identified '@mimecast-ui/components' @ 2.0.0 (npm) as malicious. It is considered malicious because: - The package executes one or more commands associated with malicious behavior.
الإصدارات المتأثرة
2.0.0
المراجع
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (831be2c3e6c9885c479ff2920f4f2bd45a313483073af42ed59ba0ac78a98e3b) The OpenSSF Package Analysis project identified '@mimecast-ui/charts' @ 2.0.0 (npm) as malicious. It is considered malicious because: - The package executes one or more commands associated with malicious behavior.
الإصدارات المتأثرة
2.0.0
المراجع
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (b2500116350b47c62998ce7a19415357cb4384f0a1d0976e86cd042e2556b8ec) The OpenSSF Package Analysis project identified '@cplace-workflow-fe/cf-workflow' @ 2.0.4 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity.
الإصدارات المتأثرة
2.0.4
المراجع
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: kam193 (1109b5dc74c94551027044e54e20f9c1c18f89d53da6af87861ba4773eae1966) The package contains code to install remotely stored malware and ensure its persistence. The code is not triggered automatically; it requires a separate trigger. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2025-07-cas-base Reasons (based on the campaign): - Downloads and executes a remote executable. - malware - persistence
الإصدارات المتأثرة
1.0.0
🚨 مؤشرات الاختراق (IOCs)
Domains: pub-b63e77578ffe42519de7d1771935f8b0.r2.dev
C2 URLs: https://pub-b63e77578ffe42519de7d1771935f8b0.r2.dev/Kaylew.zip, https://pub-b63e77578ffe42519de7d1771935f8b0.r2.dev/Ddrat.zip, https://pub-b63e77578ffe42519de7d1771935f8b0.r2.dev/Edge.zip
المراجع
https://www.virustotal.com/gui/file/20377b8ee72f1371ed41228f47d4bce20b1b3c89b8465626fb78bc3f18ea935e/detection
https://www.virustotal.com/gui/file/0338390d7b545f2695622df543b67b9a87131416b71dfb368a874a335a55238f/detection
https://github.com/kamakshyatest4/python-malware/blob/45f86d614fd5c8c01d844a458d56c292c7c060c2/requirements.txt#L1
https://tria.ge/250712-jwamlsyxat
https://www.virustotal.com/gui/file/cd4e27e9d32c1ef71a49c3c7695be591cb3400763b22471347c4af1db366685e
https://www.virustotal.com/gui/file/40b64916c5a38fde2b9939c674a2eaefd39df6216014e35a86b596746d34e2e9
https://bad-packages.kam193.eu/pypi/package/xxx-bale
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (b2291adfbdded958f2fa2a51aa5e582d8ec4bad5bb1c5c9b614bd496732c3578) The OpenSSF Package Analysis project identified 'pp-react-v5' @ 10.0.0 (npm) as malicious. It is considered malicious because: - The package executes one or more commands associated with malicious behavior.
الإصدارات المتأثرة
10.0.0
المراجع
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: kam193 (df9e0498d827adeb16ea11e4a1137133d2124f039942b776f7ac098a257cd164) If executed as a module, the obfuscated code collects and exfiltrates sensitive data, including passwords saved in a browser. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-05-old-mpkg123 Reasons (based on the campaign): - infostealer - obfuscation - A Telegram webhook is used to send collected data. - exfiltration-browser-data
الإصدارات المتأثرة
All versions < 0.0.0
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: kam193 (74ce2be8301ccea70138e307282fbf70ede26eede2a531296145f7d0da695b80) The package contains code to install remotely stored malware and ensure its persistence. The code is not triggered automatically; it requires a separate trigger. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2025-07-cas-base Reasons (based on the campaign): - Downloads and executes a remote executable. - malware - persistence
الإصدارات المتأثرة
1.0.0
🚨 مؤشرات الاختراق (IOCs)
Domains: pub-b63e77578ffe42519de7d1771935f8b0.r2.dev
C2 URLs: https://pub-b63e77578ffe42519de7d1771935f8b0.r2.dev/Kaylew.zip, https://pub-b63e77578ffe42519de7d1771935f8b0.r2.dev/Ddrat.zip, https://pub-b63e77578ffe42519de7d1771935f8b0.r2.dev/Edge.zip
المراجع
https://www.virustotal.com/gui/file/20377b8ee72f1371ed41228f47d4bce20b1b3c89b8465626fb78bc3f18ea935e/detection
https://www.virustotal.com/gui/file/0338390d7b545f2695622df543b67b9a87131416b71dfb368a874a335a55238f/detection
https://github.com/kamakshyatest4/python-malware/blob/45f86d614fd5c8c01d844a458d56c292c7c060c2/requirements.txt#L1
https://tria.ge/250712-jwamlsyxat
https://www.virustotal.com/gui/file/cd4e27e9d32c1ef71a49c3c7695be591cb3400763b22471347c4af1db366685e
https://www.virustotal.com/gui/file/40b64916c5a38fde2b9939c674a2eaefd39df6216014e35a86b596746d34e2e9
https://bad-packages.kam193.eu/pypi/package/xxoo-bale
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (1b7d770b773df64355a4fac410adc86f9778e470efdcc18ede73eb6024a3f982) The OpenSSF Package Analysis project identified 'byvendors' @ 99.0.6 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity.
الإصدارات المتأثرة
99.0.6, 99.0.5
المراجع
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: kam193 (9cfdf8d83ac7dc528caac3292d1b02ba162629b349789149fbbfcb7094f778b0) Generic campaign for all (likely) research / pentests, where the amount or art of collected data raises questions about the privacy, security and ethical side. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: GENERIC-questionable-pentest Reasons (based on the campaign): - exfiltration-env-variables - exfiltration-generic - The package overrides the install command in setup.py to execute malicious code during installation. - typosquatting ## Source: ossf-package-analysis (48fb39f196967f77f180992af73bc9c3db726ebf65804516c2b914aae6690466) The OpenSSF Package Analysis project identified 'dlocal-cli' @ 99.0.1 (pypi) as malicious. It is considered malicious because: - The package executes one or more commands associated with malicious behavior.
الإصدارات المتأثرة
99.0.0, 99.0.1, 99.0.2, 99.0.3
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (affd33d7e3176affb789f5616ae90292f98624c848073cacb1dbf7a044ef83a0) The OpenSSF Package Analysis project identified 'ac-sasskit' @ 100.0.6 (npm) as malicious. It is considered malicious because: - The package executes one or more commands associated with malicious behavior.
الإصدارات المتأثرة
100.0.6
المراجع
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: kam193 (f5ebdaebc61cf7a888322348e074f219519b7d09a24ab91732d8bc5061d86b2e) The package provides a special image-storing field for Django REST Framework based on a legitimate implementation from the Hipo/drf-extra-fields repository. The malicious modification appends the cloud credentials and full `settings` values to the serialized form of specific image types. This way, an attacker can retrieve sensitive values by downloading back once uploaded image. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-05-old-django-b64-img Reasons (based on the campaign): - exfiltration-credentials - obfuscation - backdoor
الإصدارات المتأثرة
1.1
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (ca8cde633391c1292f4bc8a50e783760044b5bea6312639fb3470418619c1b9d) The OpenSSF Package Analysis project identified 'rsflows-pexml' @ 99.9.25 (npm) as malicious. It is considered malicious because: - The package executes one or more commands associated with malicious behavior.
الإصدارات المتأثرة
99.9.9, 99.9.25
المراجع
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (b5f6c654d7fccfbe2c9c80d226319a191f30a61f37e36a2691ded47aafab85ef) The OpenSSF Package Analysis project identified 'noon-contracts' @ 1.0.0 (npm) as malicious. It is considered malicious because: - The package executes one or more commands associated with malicious behavior.
الإصدارات المتأثرة
1.0.0
المراجع
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (6ee91ffff812d05531df7ad59d39eb10a0db8bf0ed97263701d772f4a5429e60) The OpenSSF Package Analysis project identified 'post-purchase-bundler' @ 99.9.25 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity.
الإصدارات المتأثرة
99.9.9
المراجع
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: kam193 (4b2052172f5c854b2e91f6bdc9336a97469cd161372621a1880d9cd1e3ad426a) The code silently exfiltrates the private key of a crypto account. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-05-old-web3-py-checksum Reasons (based on the campaign): - crypto-related - exfiltration-crypto
الإصدارات المتأثرة
1.1
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (50365d8256527fa5afa757d8d15674e861bec80afcd6517d018e329f3e4fa93f) The OpenSSF Package Analysis project identified '@miurba/alcazaba' @ 99.99.99 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity.
الإصدارات المتأثرة
99.99.99
المراجع
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (de8207d2ceae0bddf174a97bcdf63bbf4d758383fabd8f642818c858cd6fca67) The OpenSSF Package Analysis project identified 'mw-filesystem-events-nodream' @ 0.0.32 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. - The package executes one or more commands associated with malicious behavior.
الإصدارات المتأثرة
All versions < 0.0.32
المراجع
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (7c016d8bfa18ffdc8d7841d9f3bccf6432967fd275e5a74b5f8a7415b174f23d) The OpenSSF Package Analysis project identified '@rsi-community/hub-schema' @ 99.99.99 (npm) as malicious. It is considered malicious because: - The package executes one or more commands associated with malicious behavior.
الإصدارات المتأثرة
99.99.99
المراجع
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: kam193 (da4e8d5daae9a14e0ceb5a942afd308068957ec655cdd950b2b041934e9ec182) During installation, obfuscated code exfiltrates cryptocurrency wallet data to a hardcoded location and places a backdoor through a new authorized SSH key. Information about the placed backdoor is sent back to the attacker, and sshd configuration is adjusted to ensure the successful remote connection. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-05-ninja-core-utils Reasons (based on the campaign): - The package overrides the install command in setup.py to execute malicious code during installation. - obfuscation - crypto-related - exfiltration-crypto - backdoor
الإصدارات المتأثرة
1.2.5
🚨 مؤشرات الاختراق (IOCs)
IPs: 144.126.142.148
C2 URLs: http://144.126.142.148:5555/tao, http://144.126.142.148:5555/report
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: kam193 (029e190fc99763d65a096339b29fa85aeb0a23c3818a632a2dd4dc99f3e8fd64) During installation, obfuscated code exfiltrates cryptocurrency wallet data to a hardcoded location and places a backdoor through a new authorized SSH key. Information about the placed backdoor is sent back to the attacker, and sshd configuration is adjusted to ensure the successful remote connection. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-05-ninja-core-utils Reasons (based on the campaign): - The package overrides the install command in setup.py to execute malicious code during installation. - obfuscation - crypto-related - exfiltration-crypto - backdoor
الإصدارات المتأثرة
1.2.2
🚨 مؤشرات الاختراق (IOCs)
IPs: 144.126.142.148
C2 URLs: http://144.126.142.148:5555/tao, http://144.126.142.148:5555/report
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (b308cd4e6d4c434c8a74fa1c1a14f354498072da7c7d3e7ab790766b11828a17) The OpenSSF Package Analysis project identified '@matjp/dvi-decode' @ 0.4.101 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity.
الإصدارات المتأثرة
All versions < 0.4.101
المراجع
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: kam193 (2098233a75602dd1779f720f566420f4a88ec77694b206e7858323b5aeea38d5) Package is disguised as a utility, but in fact loads encrypted code as modules. However, loading it requires knowing the decryption key which is not included in the package. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-05-ggfmttygl Reasons (based on the campaign): - obfuscation - The malicious code is intentionally included in a dependency of the package
الإصدارات المتأثرة
1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: kam193 (e741cc1df48cc526ad3a27ac702f5dea403723557b4a485f84847340310d66e5) Package is disguised as a utility, but in fact loads encrypted code as modules. However, loading it requires knowing the decryption key which is not included in the package. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-05-ggfmttygl Reasons (based on the campaign): - obfuscation - The malicious code is intentionally included in a dependency of the package
الإصدارات المتأثرة
1.0.0
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: kam193 (ce4d4558612dd659843989e690b64a3c4073d5a4b34217c2e89a5325835da685) During installation or import, package silently adds a new authorized SSH key. It's closely related to the 2026-05-ninja-core-utils campaign, but there is no built-in crypto exfiltration. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-05-ninja-ssh-proto Reasons (based on the campaign): - backdoor - obfuscation
الإصدارات المتأثرة
1.1.0
🚨 مؤشرات الاختراق (IOCs)
C2 URLs: http://144.126.142.148:5555/report
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: kam193 (6f2ecdbc9e024d6dc51c8e5d48941c5aac432db65ad733317aed159d480973cd) During installation or import, package silently adds a new authorized SSH key. It's closely related to the 2026-05-ninja-core-utils campaign, but there is no built-in crypto exfiltration. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-05-ninja-ssh-proto Reasons (based on the campaign): - backdoor - obfuscation
الإصدارات المتأثرة
1.1.0
🚨 مؤشرات الاختراق (IOCs)
C2 URLs: http://144.126.142.148:5555/report
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: kam193 (18da24e92fd40457ad3df2af568c07d41b35f44e6e07e8fac3bf0eafba9c2154) During installation, obfuscated code exfiltrates cryptocurrency wallet data to a hardcoded location and places a backdoor through a new authorized SSH key. Information about the placed backdoor is sent back to the attacker, and sshd configuration is adjusted to ensure the successful remote connection. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-05-ninja-core-utils Reasons (based on the campaign): - The package overrides the install command in setup.py to execute malicious code during installation. - obfuscation - crypto-related - exfiltration-crypto - backdoor
الإصدارات المتأثرة
1.2.4, 1.2.5
🚨 مؤشرات الاختراق (IOCs)
IPs: 144.126.142.148
C2 URLs: http://144.126.142.148:5555/tao, http://144.126.142.148:5555/report
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (a64eb5f60a8d57bd23e8b18ceeea76083900d2400329d2e68d47e5264e6d76ab) The OpenSSF Package Analysis project identified 'apple-mycelium-fix' @ 1.2.1778333524 (npm) as malicious. It is considered malicious because: - The package executes one or more commands associated with malicious behavior.
الإصدارات المتأثرة
1.2.1778333524, 1.8.1778336376
المراجع
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (0edb2241655649c1939ad8633be7ac2c8459093640c8948a579b63f581dbadac) The OpenSSF Package Analysis project identified 'oneblk-design-system' @ 99.99.99 (npm) as malicious. It is considered malicious because: - The package executes one or more commands associated with malicious behavior.
الإصدارات المتأثرة
99.99.99
المراجع
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (877202a4cdc7e48b1c51134c2d69b1535050faa6c1fdd32c8d8f1eade3a66783) The OpenSSF Package Analysis project identified 'devsite-youtube' @ 99.9.0 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity.
الإصدارات المتأثرة
99.9.0
المراجع
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (64edea611ad8e383c09495a7a6f7afd4fb86b88136c331ddf787bf0285259bf3) The package typo-crypto was found to contain malicious code.
الإصدارات المتأثرة
4.3.0
المراجع
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (72bed005637ce1e176a91f2823967cf51bd6922b80c71343d65da7097f6fabbe) The OpenSSF Package Analysis project identified 'money-badger-open-rpc-test-bugbount' @ 201.99.100 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. - The package executes one or more commands associated with malicious behavior.
الإصدارات المتأثرة
201.99.100
المراجع
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: kam193 (84f71e430b37d8fe0ee6c72826071159bb146664fe17d9a596f6e611579851f7) During installation or import, package silently adds a new authorized SSH key. It's closely related to the 2026-05-ninja-core-utils campaign, but there is no built-in crypto exfiltration. --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-05-ninja-ssh-proto Reasons (based on the campaign): - backdoor - obfuscation
الإصدارات المتأثرة
1.0.2, 1.0.4
🚨 مؤشرات الاختراق (IOCs)
C2 URLs: http://144.126.142.148:5555/report
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (d4e6037c07125a354ac2958e36321453a0dc6e28dcfe5f3c5749f58c302cb908) The OpenSSF Package Analysis project identified 'tecken' @ 0.1.13 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. - The package executes one or more commands associated with malicious behavior.
الإصدارات المتأثرة
All versions < 0.1.2
المراجع
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (43201e77d986713200b2c3f3de10a94b94d87a3d86183e8c6a203533fc32346f) The OpenSSF Package Analysis project identified 'coral-dev-proxy' @ 99.9.2 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity. - The package executes one or more commands associated with malicious behavior.
الإصدارات المتأثرة
99.9.2
المراجع
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: kam193 (fbe38f659a9fac5304f648aa594e12123221abd687755378f05b3efe17d6d4c7) During installation, obfuscated code exfiltrates cryptocurrency wallet data to a hardcoded location --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-05-ninja-core-utils Reasons (based on the campaign): - The package overrides the install command in setup.py to execute malicious code during installation. - obfuscation - crypto-related - exfiltration-crypto - backdoor
الإصدارات المتأثرة
1.3.3, 1.3.4
🚨 مؤشرات الاختراق (IOCs)
IPs: 144.126.142.148
C2 URLs: http://144.126.142.148:5555/tao
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (f96009564f8e7e51171ad83f7ac75822ab1b1492ab73b06b4596a0686418299f) The OpenSSF Package Analysis project identified '@gaia-codesearch/gaia-api-typescript' @ 0.0.5 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity.
الإصدارات المتأثرة
All versions < 0.0.5
المراجع
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: ossf-package-analysis (a2e1f356fe59b17e0506a18830d5cb200068eac98fcd4ed8439105edc5dc717c) The OpenSSF Package Analysis project identified '@gaia-codesearch/gaia-api-python' @ 0.0.5 (npm) as malicious. It is considered malicious because: - The package communicates with a domain associated with malicious activity.
الإصدارات المتأثرة
All versions < 0.0.5
المراجع
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: kam193 (3b0cce18986ec63fd689844cfc29b4023837d71b35b173a9cb08476c7575fcf2) The code automatically scans the filesystem looking for BIP-39 seed phrases and data indicating private keys, and exfiltrates them --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-05-solana-wallet-sdk Reasons (based on the campaign): - files-exfiltration - crypto-related - exfiltration-crypto
الإصدارات المتأثرة
1.0.0
🚨 مؤشرات الاختراق (IOCs)
IPs: 46.225.21.180
C2 URLs: http://46.225.21.180:3000/api/narrative-accounts
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: kam193 (3c24dfc47c3ee1d37f4d7ec65a43d1f861422d7fb3ee6f8e8b6e6a85fe2b5120) The code automatically scans the filesystem looking for BIP-39 seed phrases and data indicating private keys, and exfiltrates them --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-05-solana-wallet-sdk Reasons (based on the campaign): - files-exfiltration - crypto-related - exfiltration-crypto
الإصدارات المتأثرة
1.0.0
🚨 مؤشرات الاختراق (IOCs)
IPs: 46.225.21.180
C2 URLs: http://46.225.21.180:3000/api/narrative-accounts
الوصف الكامل
--- _-= Per source details. Do not edit below this line.=-_ ## Source: kam193 (84d2f533c52b85d9b3b4c27fe3863e57365308d49b7a412038b26047e6704450) The code automatically scans the filesystem looking for BIP-39 seed phrases and data indicating private keys, and exfiltrates them --- Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers. Campaign: 2026-05-solana-wallet-sdk Reasons (based on the campaign): - files-exfiltration - crypto-related - exfiltration-crypto
الإصدارات المتأثرة
1.0.0
🚨 مؤشرات الاختراق (IOCs)
IPs: 46.225.21.180
C2 URLs: http://46.225.21.180:3000/api/narrative-accounts