Umbrella supply chain campaign tracked by Wiz (Rami McCarthy) that compromises developer tooling, package registries, and CI/CD across npm, PyPI, Docker, VSCode, and Packagist. The initial wave abused Checkmarx-themed decoy domains (checkmarx.zone, audit.checkmarx.cx) and shared C2 (94.154.172.43) to trojanize litellm and, through a cascading KICS compromise, @bitwarden/cli. Attribution strings reuse Dune terminology, linking it to the Shai-Hulud worm family.
Objective
Compromise the software supply chain to steal cloud and developer credentials at scale.
Related campaigns
Packages
Indicators
- domain models.litellm.cloudcommunicates-with
- domain checkmarx.zonecommunicates-with
- sha256 d2a0d5f564628773b6af7b9c11f6b86531a875bd2d186d7081ab62748a800ebbindicates
- sha1 9343aeefca37aa49a6ea54397d7615adae5c72c9indicates
- domain 83.142.209.203communicates-with
- ipv4 83.142.209.203communicates-with
- sha256 7321caa303fe96ded0492c747d2f353c4f7d17185656fe292ab0a59e2bd0b8d9indicates
- sha256 cd08115806662469bbedec4b03f8427b97c8a4b3bc1442dc18b72b4e19395fe3indicates
- email support@telnyx.comexfiltrates-to
- domain audit.checkmarx.cxcommunicates-with
- ipv4 94.154.172.43communicates-with
- sha256 18f784b3bc9a0bcdcb1a8d7f51bc5f54323fc40cbd874119354ab609bef6e4cbindicates
- sha256 8605e365edf11160aad517c7d79a3b26b62290e5072ef97b102a01ddbb343f14indicates
- sha1 de0fac2e4500dabe0009e67214ff5f5447ce83ddindicates
- sha1 bbbca2ddaa5d8feaa63e36b76fdaad77386f024findicates
Techniques
- ttp T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
- ttp T1059.006 Command and Scripting Interpreter: Pythonuses
- ttp T1552.001 Unsecured Credentials: Credentials In Filesuses
- ttp T1041 Exfiltration Over C2 Channeluses
- ttp T1105 Ingress Tool Transferuses
- ttp T1071.001 Application Layer Protocol: Web Protocolsuses
- ttp T1546 Event Triggered Executionuses
- ttp T1027 Obfuscated Files or Informationuses
- ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
