[{"kind":"url","value":"https://o4511539639222272.ingest.de.sentry.io/api/4511539669368912/envelope/","context":"Sentry ingest (envelope) endpoint abused as the C2/exfiltration drop. build.rs POSTs stolen git metadata and source diffs here via curl. Sentry org ID o4511539639222272, project ID 4511539669368912, region host ingest.de.sentry.io.","href":"/ti/ioc/url/url-0e9db416e643","campaigns":[],"discovered_at":"2026-06-10"},{"kind":"domain","value":"o4511539639222272.ingest.de.sentry.io","context":"Region-pinned Sentry ingest host (org subdomain o4511539639222272, EU/de region) used for exfiltration.","href":"/ti/ioc/domain/o4511539639222272.ingest.de.sentry.io","campaigns":[],"discovered_at":"2026-06-10"},{"kind":"github_repo","value":"cenotelie/onering","context":"Source repository of the onering crate; malicious build.rs introduced in commit 45e552f541dd96c2ac224d1b97cb7cda1c1d63e9.","href":"/ti/ioc/github_repo/github_repo-513cb4ee12b9","campaigns":[],"discovered_at":"2026-06-10"},{"kind":"file_path","value":"build.rs","context":"Cargo build script added to the crate; executes at compile time on the consumer machine and performs the data collection and exfiltration.","href":"/ti/ioc/file_path/file_path-d0d989980925","campaigns":[],"discovered_at":"2026-06-10"},{"kind":"url","value":"https://8197ee42c4f59c83f4cc6d48f5bae821@o4511539639222272.ingest.de.sentry.io/4511539669368912","context":"Full Sentry DSN embedded in the envelope 'dsn' field. The public key 8197ee42c4f59c83f4cc6d48f5bae821 is the most specific attributable indicator in the payload (distinct from the bare ingest URL). DSN form: https://<public_key>@o<org>.ingest.<region>.sentry.io/<project_id>. Hunt for the literal key 8197ee42c4f59c83f4cc6d48f5bae821 in package sources and outbound traffic.","href":"/ti/ioc/url/url-22995333e34a","campaigns":[],"discovered_at":"2026-06-10"},{"kind":"file_path","value":"Cargo.toml","context":"Dependency-level indicator: the malicious commit adds a build-dependency 'uuid = { version = \"1.23\", default-features = false, features = [\"v4\"] }' to Cargo.toml, used for Uuid::new_v4().as_simple() to generate the Sentry event_id. An otherwise-unexpected 'uuid' build-dep appearing alongside a new build.rs is a strong combined signal.","href":"/ti/ioc/file_path/file_path-2e9d962a0832","campaigns":[],"discovered_at":"2026-06-10"},{"kind":"sha256","value":"51b4dd39a15af1e28e97adc375849d688423ec3d88e8010644395fcdea52a3cc","context":"core/telemetry/_hooks.py — Python stager injected into gpt-pilot; derived from edxeth/Shai-Hulud-Open-Source PYTHON_LOADER.py","href":"/ti/ioc/sha256/51b4dd39a15af1e28e97adc375849d688423ec3d88e8010644395fcdea52a3cc","campaigns":["Miasma: The Spreading Blight"],"discovered_at":"2026-06-08"},{"kind":"sha256","value":"c96f37e1b9cdc9683a300909492ed9f770b620d0037e5b80e23753cba7ca4077","context":"core/telemetry/_runtime.bin — 758 KB Bun JS payload with // @bun @bun-cjs header, MxGPr9 string-array rotation obfuscation, fromCodePoint decoder","href":"/ti/ioc/sha256/c96f37e1b9cdc9683a300909492ed9f770b620d0037e5b80e23753cba7ca4077","campaigns":["Miasma: The Spreading Blight"],"discovered_at":"2026-06-08"},{"kind":"file_path","value":"core/telemetry/_hooks.py","context":"Python stager file path in compromised gpt-pilot repository","href":"/ti/ioc/file_path/file_path-c202cdb8f68f","campaigns":[],"discovered_at":"2026-06-08"},{"kind":"file_path","value":"core/telemetry/_runtime.bin","context":"Bun JS payload file path; .bin extension used to blend with compiled asset naming conventions","href":"/ti/ioc/file_path/file_path-b39532b51e5d","campaigns":[],"discovered_at":"2026-06-08"},{"kind":"file_path","value":"core/telemetry/.loader.lock","context":"Run-once lock file; presence indicates prior stager execution on the host","href":"/ti/ioc/file_path/file_path-01372a18cbf5","campaigns":["Miasma: The Spreading Blight"],"discovered_at":"2026-06-08"},{"kind":"github_repo","value":"Pythagora-io/gpt-pilot","context":"Compromised Python AI coding assistant repository; injected via direct PAT push","href":"/ti/ioc/github_repo/github_repo-5278c0f8c305","campaigns":["Miasma: The Spreading Blight"],"discovered_at":"2026-06-08"},{"kind":"github_repo","value":"edxeth/Shai-Hulud-Open-Source","context":"Attacker toolkit repository (created 2026-05-13); contains src/assets/PYTHON_LOADER.py — the template for the gpt-pilot stager","href":"/ti/ioc/github_repo/github_repo-6686c727cc01","campaigns":["Miasma: The Spreading Blight"],"discovered_at":"2026-06-08"},{"kind":"github_repo","value":"deadbeef3137/Shai-Hulud-Open-Source","context":"Fork of attacker toolkit edxeth/Shai-Hulud-Open-Source","href":"/ti/ioc/github_repo/github_repo-707bc529039b","campaigns":[],"discovered_at":"2026-06-08"},{"kind":"file_path","value":"tools/setup","context":"~976 KB UPX-packed Rust ELF infostealer binary dropped inside the malicious npm tarball; invoked by the package.json preinstall hook (preinstall: ./tools/setup).","href":"/ti/ioc/file_path/file_path-a3dec2550575","campaigns":["IronWorm"],"discovered_at":"2026-06-03"},{"kind":"file_path","value":".github/scripts/precheck","context":"Alternate in-repo path for the IronWorm Rust binary dropper, committed under the spoofed claude author identity.","href":"/ti/ioc/file_path/file_path-5a0085c54ae6","campaigns":["IronWorm"],"discovered_at":"2026-06-03"},{"kind":"file_path","value":"q2.bpf.c","context":"eBPF rootkit component source filename recovered from .BTF.ext debug metadata left in the embedded ELF object (214 verbatim source lines). Provides process hiding (/proc rewriting), TCP socket hiding (netlink filtering), and anti-debugging (ptrace interception, SIGKILL).","href":"/ti/ioc/file_path/file_path-79ddd9e3946a","campaigns":["IronWorm"],"discovered_at":"2026-06-03"},{"kind":"url","value":"http://127.0.0.1:8738","context":"Local loopback HTTP listener used to capture wallet credential POSTs (Exodus desktop wallet password + BIP-39 seed mnemonic injected from the browser/app).","href":"/ti/ioc/url/url-826c7261870d","campaigns":["IronWorm"],"discovered_at":"2026-06-03"},{"kind":"url","value":"https://temp.sh","context":"Fallback exfiltration host (public file-sharing service), reached over Tor when the primary Tor hidden-service C2 is unavailable.","href":"/ti/ioc/url/url-0c6e64b7ce44","campaigns":["IronWorm"],"discovered_at":"2026-06-03"},{"kind":"url","value":"tor://api/agent","context":"Primary C2 beacon path /api/agent served over a Tor hidden service (.onion address not published by the researcher). Provides remote shell plus file download/execute. Tor reached via custom torrc + downloaded Tor expert bundle.","href":"/ti/ioc/url/url-22fc577bf3e0","campaigns":["IronWorm"],"discovered_at":"2026-06-03"},{"kind":"url","value":"https://registry.npmjs.org/-/npm/v1/oidc/token/exchange/package","context":"npm OIDC Trusted Publishing token-exchange endpoint abused for self-replication: mints a package-scoped automation token without stored credentials, then republishes trojanized versions.","href":"/ti/ioc/url/url-9e57ef0cdfb1","campaigns":["IronWorm"],"discovered_at":"2026-06-03"},{"kind":"wallet","value":"0x7e28D9889f414B06c19a22A9Bd316f0AC279a4d6","context":"Operator's own Ethereum wallet, derived from a hardcoded BIP-39 recovery phrase ('bench crane defense corn wheel trial news abuse finish better paddle slush') left inside the binary and present in the malware's wallet skip-list. Near-empty test wallet; an OPSEC failure that aids attribution.","href":"/ti/ioc/wallet/0x7e28D9889f414B06c19a22A9Bd316f0AC279a4d6","campaigns":["IronWorm"],"discovered_at":"2026-06-03"},{"kind":"github_repo","value":"asteroid-dao/eternal-storage","context":"Victim GitHub repo poisoned by IronWorm. Malicious commit SHA a8f0c75a77698759413dbadcb99b62709816ed42 (backdated, spoofed claude author).","href":"/ti/ioc/github_repo/github_repo-8791fd799b8f","campaigns":["IronWorm"],"discovered_at":"2026-06-03"},{"kind":"github_repo","value":"asteroid-dao/asteroid-protocol","context":"Victim GitHub repo poisoned by IronWorm. Malicious commit SHA 5d7c93caf50a447a8d48cafe2e5cff6b47618b13.","href":"/ti/ioc/github_repo/github_repo-da1dce5360f1","campaigns":["IronWorm"],"discovered_at":"2026-06-03"},{"kind":"github_repo","value":"alisista/aht-testnet","context":"Victim GitHub repo poisoned by IronWorm. Malicious commit SHA 10c619e75181d07ddcccb5c1f62766c85fef08df.","href":"/ti/ioc/github_repo/github_repo-cf1ffc3c8ced","campaigns":["IronWorm"],"discovered_at":"2026-06-03"},{"kind":"github_repo","value":"ocrybit/mweb3waves","context":"Victim GitHub repo (compromised account ocrybit) poisoned by IronWorm. Malicious commit SHA 0fe6a098fe698e586188e0f2e851ef43f1a35958.","href":"/ti/ioc/github_repo/github_repo-e989fd3a0454","campaigns":["IronWorm"],"discovered_at":"2026-06-03"},{"kind":"github_repo","value":"ocrybit/by-coffeescript","context":"Victim GitHub repo (compromised account ocrybit) poisoned by IronWorm. Malicious commit SHA fd64413119575fa119eaa9f94d32208c7d916796.","href":"/ti/ioc/github_repo/github_repo-f8dec39ca7bc","campaigns":["IronWorm"],"discovered_at":"2026-06-03"},{"kind":"email","value":"epsteinfuckniggerss911@proton.me","context":"npm maintainer email for account speedsteraxios (faster-axios publisher). Offensive/racist throwaway. Weak actor selector.","href":"/ti/ioc/email/epsteinfuckniggerss911@proton.me","campaigns":["Epsilon Axios Typosquat Campaign"],"discovered_at":"2026-06-01"},{"kind":"sha256","value":"f89694ba247a7a67e582572094c9f19d2e09882eff8917f78125d54b733bd24e","context":"faster-axios@1.17.3 npm tarball","href":"/ti/ioc/sha256/f89694ba247a7a67e582572094c9f19d2e09882eff8917f78125d54b733bd24e","campaigns":["Epsilon Axios Typosquat Campaign"],"discovered_at":"2026-06-01"},{"kind":"sha256","value":"80c18e0d71a31a2e66d8796c6d7081fa3414c1801057131f1cd851c87c1a029e","context":"faster-axios@1.17.4 npm tarball","href":"/ti/ioc/sha256/80c18e0d71a31a2e66d8796c6d7081fa3414c1801057131f1cd851c87c1a029e","campaigns":["Epsilon Axios Typosquat Campaign"],"discovered_at":"2026-06-01"},{"kind":"sha256","value":"bc46e88b1fdf8c27e3404146306b4651f69728f7d8d939a219dfbcb5a23ef69a","context":"Stage 4 hello.exe. PE32 NSIS self-extracting installer, 86,235,515 bytes (~86MB). Contains electron-builder Electron app with Epsilon Stealer in resources/app.asar -> src/index.js (3,360 lines). NSIS header references www.inkscape.org (decoy).","href":"/ti/ioc/sha256/bc46e88b1fdf8c27e3404146306b4651f69728f7d8d939a219dfbcb5a23ef69a","campaigns":["Epsilon Axios Typosquat Campaign"],"discovered_at":"2026-06-01"},{"kind":"url","value":"https://cold5.gofile.io/download/web/c5d2304a-2ede-4fd8-904b-9a6cdd3f8a6c/analyst.js","context":"faster-axios v1.17.3 stage-2 delivery URL (gofile.io file hosting). Now returns landing page; likely token-gated or removed.","href":"/ti/ioc/url/url-d1b4590859c1","campaigns":["Epsilon Axios Typosquat Campaign"],"discovered_at":"2026-06-01"},{"kind":"url","value":"https://apparently-movers-mysql-heights.trycloudflare.com/download/datab1","context":"faster-axios v1.17.4 stage-2 delivery URL (Cloudflare quick-tunnel C2). LIVE, returned HTTP 200. Stage 3 = Windows-only dropper.","href":"/ti/ioc/url/url-be8a73e94fa8","campaigns":["Epsilon Axios Typosquat Campaign"],"discovered_at":"2026-06-01"},{"kind":"url","value":"https://apparently-movers-mysql-heights.trycloudflare.com/download/epsilon","context":"Stage 4 download URL. Dropper fetches hello.exe to %TEMP% and runs via child_process.execFile.","href":"/ti/ioc/url/url-b3babde08035","campaigns":["Epsilon Axios Typosquat Campaign"],"discovered_at":"2026-06-01"},{"kind":"url","value":"https://apparently-movers-mysql-heights.trycloudflare.com/download/browser","context":"Shellcode download URL. Epsilon Stealer fetches XOR-encoded (key 0xAA) shellcode for process injection into dllhost.exe.","href":"/ti/ioc/url/url-2cc6594188a1","campaigns":["Epsilon Axios Typosquat Campaign"],"discovered_at":"2026-06-01"},{"kind":"domain","value":"apparently-movers-mysql-heights.trycloudflare.com","context":"Cloudflare quick-tunnel C2 host for faster-axios. Serves: stage-2 delivery (/download/datab1), stage-4 PE (/download/epsilon), and shellcode (/download/browser).","href":"/ti/ioc/domain/apparently-movers-mysql-heights.trycloudflare.com","campaigns":["Epsilon Axios Typosquat Campaign"],"discovered_at":"2026-06-01"},{"kind":"domain","value":"recorded-distinct-face-girlfriend.trycloudflare.com","context":"Epsilon Stealer exfil API tunnel. Endpoints: /customer (registration), /upload (file exfil), /discord-token (Discord token exfil), /clip (clipboard data).","href":"/ti/ioc/domain/recorded-distinct-face-girlfriend.trycloudflare.com","campaigns":["Epsilon Axios Typosquat Campaign"],"discovered_at":"2026-06-01"},{"kind":"url","value":"https://recorded-distinct-face-girlfriend.trycloudflare.com/customer","context":"Epsilon Stealer exfil API base. Sub-endpoints: /upload, /discord-token, /clip.","href":"/ti/ioc/url/url-46d756474c87","campaigns":["Epsilon Axios Typosquat Campaign"],"discovered_at":"2026-06-01"},{"kind":"domain","value":"consequences-faces-weblogs-clinical.trycloudflare.com","context":"SHARED INFRASTRUCTURE linking turbo-axios and faster-axios (high confidence same operator). turbo-axios v1.17.2 used this tunnel as stage-2 C2 at /download/datab1. faster-axios Epsilon Stealer source references this tunnel as DOWNLOAD_URL constant (line 99) at /download/load. Campaign-level pivot indicator.","href":"/ti/ioc/domain/consequences-faces-weblogs-clinical.trycloudflare.com","campaigns":["Epsilon Axios Typosquat Campaign"],"discovered_at":"2026-06-01"},{"kind":"url","value":"https://consequences-faces-weblogs-clinical.trycloudflare.com/download/load","context":"Secondary download URL used by Epsilon Stealer (faster-axios) for additional payload retrieval.","href":"/ti/ioc/url/url-37957119e0f9","campaigns":["Epsilon Axios Typosquat Campaign"],"discovered_at":"2026-06-01"},{"kind":"url","value":"https://consequences-faces-weblogs-clinical.trycloudflare.com/download/datab1","context":"turbo-axios v1.17.2 stage-2 C2 endpoint. Same tunnel reused in faster-axios Epsilon Stealer source. Key infrastructure pivot linking both packages to one operator.","href":"/ti/ioc/url/url-bfddb6cbe803","campaigns":["Epsilon Axios Typosquat Campaign"],"discovered_at":"2026-06-01"},{"kind":"domain","value":"philosophy-moms-incoming-milton.trycloudflare.com","context":"Cloudflare quick-tunnel C2 for turbo-axios v1.17.3 stage-2 delivery. Endpoint: /download/datab1. Rotated tunnel after consequences-faces-weblogs-clinical was used for v1.17.2.","href":"/ti/ioc/domain/philosophy-moms-incoming-milton.trycloudflare.com","campaigns":["Epsilon Axios Typosquat Campaign"],"discovered_at":"2026-06-01"},{"kind":"url","value":"https://philosophy-moms-incoming-milton.trycloudflare.com/download/datab1","context":"turbo-axios v1.17.3 stage-2 delivery URL. Rotated Cloudflare quick-tunnel with same /download/datab1 path pattern as all other campaign tunnels.","href":"/ti/ioc/url/url-94fe81bf151c","campaigns":["Epsilon Axios Typosquat Campaign"],"discovered_at":"2026-06-01"},{"kind":"domain","value":"prep-integer-lit-preferences.trycloudflare.com","context":"WebSocket RAT gateway for Epsilon Stealer. Persistent WSS connection with auto-reconnect. Supports arbitrary cmd.exe/powershell execution with real-time stdout streaming.","href":"/ti/ioc/domain/prep-integer-lit-preferences.trycloudflare.com","campaigns":["Epsilon Axios Typosquat Campaign"],"discovered_at":"2026-06-01"},{"kind":"file_path","value":"%TEMP%\\hello.exe","context":"Windows drop path for stage-4 NSIS PE, executed via child_process.execFile.","href":"/ti/ioc/file_path/file_path-299e62eaf3d2","campaigns":["Epsilon Axios Typosquat Campaign"],"discovered_at":"2026-06-01"},{"kind":"file_path","value":"%LOCALAPPDATA%\\Microsoft\\Windows\\0\\svchost.exe","context":"Epsilon Stealer persistence copy. Binary copied here and launched via HKCU Run key on reboot.","href":"/ti/ioc/file_path/file_path-06ddc0f31f33","campaigns":[],"discovered_at":"2026-06-01"},{"kind":"file_path","value":"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\svchost","context":"Registry Run key set by Epsilon Stealer for boot persistence. Points to %LOCALAPPDATA%\\Microsoft\\Windows\\0\\svchost.exe.","href":"/ti/ioc/file_path/file_path-63c727ebbb91","campaigns":[],"discovered_at":"2026-06-01"},{"kind":"file_path","value":"%TEMP%\\browser-extraction-<username>","context":"Staging directory for injected browser credential data. <username> replaced with victim's Windows username.","href":"/ti/ioc/file_path/file_path-a0f1aa8e96f1","campaigns":[],"discovered_at":"2026-06-01"},{"kind":"file_path","value":"%TEMP%\\epsilon-<username>","context":"Main staging directory for all Epsilon Stealer exfil data. <username> replaced with victim's Windows username.","href":"/ti/ioc/file_path/file_path-a4a63f7fd166","campaigns":[],"discovered_at":"2026-06-01"},{"kind":"github_repo","value":"speedsteraxios","context":"npm publisher account handle for faster-axios (used as weak actor selector; not a confirmed GitHub repo).","href":"/ti/ioc/github_repo/github_repo-d1b2ccd914ac","campaigns":["Epsilon Axios Typosquat Campaign"],"discovered_at":"2026-06-01"},{"kind":"email","value":"emcd-vue@proton.me","context":"npm maintainer email for the emcd-vue account that published the Wave 3 packages. Anonymous Proton Mail address. Fourth email identity tied to the oob-moika-tech campaign.","href":"/ti/ioc/email/emcd-vue@proton.me","campaigns":["oob-moika-tech-depconf-2026"],"discovered_at":"2026-06-01"},{"kind":"domain","value":"emcd-vue.io","context":"Fake domain used in Wave 3 package README and metadata to impersonate the EMCD organization. Not related to real emcd.io. Social engineering artifact.","href":"/ti/ioc/domain/emcd-vue.io","campaigns":["oob-moika-tech-depconf-2026"],"discovered_at":"2026-06-01"},{"kind":"domain","value":"github.emcd-vue.io","context":"Fake GitHub subdomain used as the repository URL in @emcd-vue package metadata (git+https://github.emcd-vue.io/platform/auth.git). Social engineering artifact designed to mimic a private GitHub Enterprise instance.","href":"/ti/ioc/domain/github.emcd-vue.io","campaigns":[],"discovered_at":"2026-06-01"},{"kind":"file_path","value":"~/.emcd-vue_init.js","context":"Second-stage dropper written to the user home directory (not OS temp dir) by the Wave 3 postinstall hook, then spawned detached. Dot-hidden file. Persistence upgrade over Waves 1+2 which used os.tmpdir().","href":"/ti/ioc/file_path/file_path-18b2e77e2232","campaigns":["oob-moika-tech-depconf-2026"],"discovered_at":"2026-06-01"},{"kind":"file_path","value":"~/.emcd-vue_init/","context":"Home-directory cache directory used for run-once deduplication. Contains JSON files keyed by hash(package_name + hostname + project_root). Wave 3 replacement for Wave 2's ~/.cache/._t-in-one_init/.","href":"/ti/ioc/file_path/file_path-3694d055c31d","campaigns":[],"discovered_at":"2026-06-01"},{"kind":"file_path","value":"EMCD_VUE_NO_TELEMETRY","context":"Functional kill switch environment variable checked by the Wave 3 postinstall code. Setting this variable causes the payload to exit early without beaconing. NOT the variable advertised in the README (which is EMCD_VUE_8D440FE1_NO_TEL — non-functional by design).","href":"/ti/ioc/file_path/file_path-d28f087cd53b","campaigns":[],"discovered_at":"2026-06-01"},{"kind":"file_path","value":"EMCD_VUE_8D440FE1_NO_TEL","context":"README-advertised kill switch env var — deliberately mismatched from the functional code kill switch (EMCD_VUE_NO_TELEMETRY). Setting this variable does NOT prevent payload execution. Social engineering artifact: the 8D440FE1 hex fragment in the name indicates deliberate construction, not a typo.","href":"/ti/ioc/file_path/file_path-bda88e7bb928","campaigns":[],"discovered_at":"2026-06-01"},{"kind":"sha256","value":"031ba872d5a84bfb18115f432811e4b45180346a1bae653f7fd85f918e7bb3a3","context":"patch-client@4.0.4 malicious tarball SHA256","href":"/ti/ioc/sha256/031ba872d5a84bfb18115f432811e4b45180346a1bae653f7fd85f918e7bb3a3","campaigns":["Miasma: The Spreading Blight"],"discovered_at":"2026-06-01"},{"kind":"sha256","value":"df1732f5bfec12e066be44dee02ec8a243e4868d38672c1b1d065359dd735a14","context":"index.js dropper SHA256 (ROT-9 + AES-128-GCM loader)","href":"/ti/ioc/sha256/df1732f5bfec12e066be44dee02ec8a243e4868d38672c1b1d065359dd735a14","campaigns":["Miasma: The Spreading Blight"],"discovered_at":"2026-06-01"},{"kind":"sha256","value":"0dc06ecdaa63fe24859cfd955053c23245c536e4733480239d14bebf12688e35","context":"decrypted Bun worm payload SHA256","href":"/ti/ioc/sha256/0dc06ecdaa63fe24859cfd955053c23245c536e4733480239d14bebf12688e35","campaigns":["Miasma: The Spreading Blight"],"discovered_at":"2026-06-01"},{"kind":"url","value":"https://registry.npmjs.org/-/npm/v1/oidc/token/exchange/package/","context":"npm OIDC-to-publish-token exchange endpoint abused for self-propagation","href":"/ti/ioc/url/url-6e07621b67f6","campaigns":["Miasma: The Spreading Blight"],"discovered_at":"2026-06-01"},{"kind":"url","value":"https://github.com/oven-sh/bun/releases/download/bun-v1.3.13/","context":"Bun 1.3.13 runtime download URL used by Python stager; same version pinned across all Shai-Hulud/Miasma waves","href":"/ti/ioc/url/url-64f182498063","campaigns":["Miasma: The Spreading Blight"],"discovered_at":"2026-06-01"},{"kind":"file_path","value":"/var/run/secrets/kubernetes.io/serviceaccount/token","context":"Kubernetes service account token harvested","href":"/ti/ioc/file_path/file_path-ca72b599811b","campaigns":["Miasma: The Spreading Blight"],"discovered_at":"2026-06-01"},{"kind":"file_path","value":"/var/run/docker.sock","context":"Docker socket abused for container escape","href":"/ti/ioc/file_path/file_path-71329c4cc6e3","campaigns":["Miasma: The Spreading Blight"],"discovered_at":"2026-06-01"},{"kind":"file_path","value":"/tmp/p<random>.js","context":"runtime dropper artifact (decoded loader)","href":"/ti/ioc/file_path/file_path-689667fb8c5f","campaigns":["Miasma: The Spreading Blight"],"discovered_at":"2026-06-01"},{"kind":"file_path","value":"/tmp/b-<random>/bun","context":"runtime artifact (downloaded Bun runtime)","href":"/ti/ioc/file_path/file_path-59b338a3cd5c","campaigns":["Miasma: The Spreading Blight"],"discovered_at":"2026-06-01"},{"kind":"file_path","value":"/tmp/kitty-<random>","context":"runtime worm artifact","href":"/ti/ioc/file_path/file_path-3f0c1ce3224a","campaigns":["Miasma: The Spreading Blight"],"discovered_at":"2026-06-01"},{"kind":"domain","value":"login.microsoftonline.com","context":"Azure managed identity / token endpoint queried","href":"/ti/ioc/domain/login.microsoftonline.com","campaigns":["Miasma: The Spreading Blight"],"discovered_at":"2026-06-01"},{"kind":"domain","value":"graph.microsoft.com","context":"Azure Graph API queried for identity data","href":"/ti/ioc/domain/graph.microsoft.com","campaigns":["Miasma: The Spreading Blight"],"discovered_at":"2026-06-01"},{"kind":"email","value":"justinorringer@gmail.com","context":"spoofed/unconfirmed git author on malicious commits (Justin Orringer)","href":"/ti/ioc/email/justinorringer@gmail.com","campaigns":["Miasma: The Spreading Blight"],"discovered_at":"2026-06-01"},{"kind":"github_repo","value":"RedHatInsights/javascript-clients","context":"compromised repo; workflow ci.yml; branches oidc-4d5900f3, oidc-6523a11b; 15 packages","href":"/ti/ioc/github_repo/github_repo-1bc3b2894993","campaigns":["Miasma: The Spreading Blight"],"discovered_at":"2026-06-01"},{"kind":"github_repo","value":"RedHatInsights/frontend-components","context":"compromised repo; workflow ci.yaml; branches oidc-61fff775, oidc-af10000d; 14 packages","href":"/ti/ioc/github_repo/github_repo-9d459b8f2e91","campaigns":["Miasma: The Spreading Blight"],"discovered_at":"2026-06-01"},{"kind":"github_repo","value":"RedHatInsights/platform-frontend-ai-toolkit","context":"compromised repo; workflow release.yml; branches oidc-2530ec68, oidc-93b9a955; 3 packages","href":"/ti/ioc/github_repo/github_repo-f8474b5474b9","campaigns":["Miasma: The Spreading Blight"],"discovered_at":"2026-06-01"},{"kind":"email","value":"nath.dr4k3@gmail.com","context":"npm maintainer email for the t-in-one account that published the 12 Wave 2 packages. First email identity tied to the oob-moika-tech campaign (Wave 1 accounts mr.4nd3r50n and pik-libs had no public email).","href":"/ti/ioc/email/nath.dr4k3@gmail.com","campaigns":["oob-moika-tech-depconf-2026"],"discovered_at":"2026-05-29"},{"kind":"file_path","value":"._t-in-one_init.js","context":"Second-stage dropper written to the OS temp directory (os.tmpdir()) by the Wave 2 postinstall hook, then spawned detached. Follows the same ._<scope>_init.js naming pattern as Wave 1's ._cloudplatform-single-spa_init.js.","href":"/ti/ioc/file_path/file_path-aee3ea2cd2fb","campaigns":["oob-moika-tech-depconf-2026"],"discovered_at":"2026-05-29"},{"kind":"file_path","value":"~/.cache/._t-in-one_init/","context":"Run-once de-duplication marker directory created by the Wave 2 payload so a host is beaconed only once. New in Wave 2.","href":"/ti/ioc/file_path/file_path-747bf8f427cd","campaigns":[],"discovered_at":"2026-05-29"},{"kind":"domain","value":"npm.t-in-one.io","context":"Fabricated internal npm registry domain in the @t-in-one README and .npmrc lure (registry=https://npm.t-in-one.io). Social engineering artifact; not confirmed functional infrastructure.","href":"/ti/ioc/domain/npm.t-in-one.io","campaigns":["oob-moika-tech-depconf-2026"],"discovered_at":"2026-05-29"},{"kind":"domain","value":"docs.t-in-one.io","context":"Fabricated docs domain in @t-in-one README. Social engineering artifact; not confirmed functional.","href":"/ti/ioc/domain/docs.t-in-one.io","campaigns":[],"discovered_at":"2026-05-29"},{"kind":"domain","value":"jira.t-in-one.io","context":"Fabricated Jira domain in @t-in-one README. Social engineering artifact; not confirmed functional.","href":"/ti/ioc/domain/jira.t-in-one.io","campaigns":[],"discovered_at":"2026-05-29"},{"kind":"sha256","value":"23ccdefb9b917373a4b723d8d482eb6b8880e7e45b0d21cfa5d21d5c27da4918","context":"SHA256 of the @t-in-one/add_application@5.7.1 npm tarball (registry.npmjs.org). Sample Wave 2 artifact.","href":"/ti/ioc/sha256/23ccdefb9b917373a4b723d8d482eb6b8880e7e45b0d21cfa5d21d5c27da4918","campaigns":[],"discovered_at":"2026-05-29"},{"kind":"domain","value":"copilot-ai.whisdev.org","context":"Secondary hostname on C2 IP 195.201.194.107. Linked to bink/ptc-bink/whisdev persona cluster (JFrog attribution).","href":"/ti/ioc/domain/copilot-ai.whisdev.org","campaigns":["Contagious Interview"],"discovered_at":"2026-05-28"},{"kind":"domain","value":"sha256-validate-rpc.vercel.app","context":"Contagious Trader exfil endpoint used by polymarket-validator (toskypi, Feb 2026)","href":"/ti/ioc/domain/sha256-validate-rpc.vercel.app","campaigns":["Contagious Interview"],"discovered_at":"2026-05-28"},{"kind":"domain","value":"changelog.rest","context":"Contagious Trader exfil endpoint used by changelog-logger-utilities (toskypi, Mar 2026)","href":"/ti/ioc/domain/changelog.rest","campaigns":["Contagious Interview"],"discovered_at":"2026-05-28"},{"kind":"domain","value":"polblxpnl.space","context":"Contagious Trader C2 domain","href":"/ti/ioc/domain/polblxpnl.space","campaigns":[],"discovered_at":"2026-05-28"},{"kind":"sha256","value":"b2954c945b51dbd6fa88ac72338b7fbf76dec7d9909ceada9d36b21330842c97","context":"MicrosoftSystem64 Linux ELF binary (81 MB Node.js SEA, v1.0.8)","href":"/ti/ioc/sha256/b2954c945b51dbd6fa88ac72338b7fbf76dec7d9909ceada9d36b21330842c97","campaigns":["Contagious Interview"],"discovered_at":"2026-05-28"},{"kind":"email","value":"tosky.pi1016@gmail.com","context":"npm account toskypi, linked to ~20 DPRK npm accounts per kmsec.uk. Published polymarket-validator, changelog-logger-utilities. Famous Chollima.","href":"/ti/ioc/email/tosky.pi1016@gmail.com","campaigns":["Contagious Interview"],"discovered_at":"2026-05-28"},{"kind":"url","value":"https://huggingface.co/jpeek998/system-releases/resolve/main","context":"Binary update URL for MicrosoftSystem64 self-update (24h interval)","href":"/ti/ioc/url/url-961b993523df","campaigns":["Contagious Interview"],"discovered_at":"2026-05-28"},{"kind":"url","value":"https://huggingface.co/Lordplay/system-releases","context":"Original binary hosting repo on HuggingFace (disabled by HF, account Lordplay created 2025-11-24). Shared by jpeek868/886/895 cluster.","href":"/ti/ioc/url/url-ad92b7bf2e37","campaigns":["Contagious Interview"],"discovered_at":"2026-05-28"},{"kind":"url","value":"https://huggingface.co/jpeek998/linux_doc_75a5ffec36ca","context":"Third victim dataset: 48 screenshot files, started 2026-05-28T06:10:24Z. Active compromise evidence.","href":"/ti/ioc/url/url-6a9350e31e52","campaigns":["Contagious Interview"],"discovered_at":"2026-05-28"},{"kind":"file_path","value":"~/.local/share/MicrosoftSystem64","context":"Linux install directory for MicrosoftSystem64 binary and state files","href":"/ti/ioc/file_path/file_path-52873c1fd43c","campaigns":["Contagious Interview"],"discovered_at":"2026-05-28"},{"kind":"file_path","value":"~/.pcl-state/uploads.json","context":"Screenshot upload state tracker for HuggingFace exfiltration","href":"/ti/ioc/file_path/file_path-1cd95f5e2f53","campaigns":["Contagious Interview"],"discovered_at":"2026-05-28"},{"kind":"domain","value":"oob.moika.tech","context":"Shared C2 host across all three waves. Hosts /report exfiltration endpoint and /payload/{platform} second-stage scripts. Wave 3 platform strings: linux-x64, darwin-arm64, win.","href":"/ti/ioc/domain/oob.moika.tech","campaigns":["oob-moika-tech-depconf-2026"],"discovered_at":"2026-05-28"},{"kind":"url","value":"https://oob.moika.tech/report","context":"Exfiltration endpoint. Receives HTTP POST with process.env, hostname, username, platform, arch, cwd, Node.js version, and X-Secret authentication header.","href":"/ti/ioc/url/url-0f283ce50690","campaigns":["oob-moika-tech-depconf-2026"],"discovered_at":"2026-05-28"},{"kind":"url","value":"https://oob.moika.tech/payload/mac.js","context":"Second-stage payload for macOS, fetched by postinstall hook on darwin systems.","href":"/ti/ioc/url/url-5b6a9aeee063","campaigns":["oob-moika-tech-depconf-2026"],"discovered_at":"2026-05-28"},{"kind":"url","value":"https://oob.moika.tech/payload/win.js","context":"Second-stage payload for Windows, fetched by postinstall hook on win32 systems.","href":"/ti/ioc/url/url-fd0e7e849589","campaigns":["oob-moika-tech-depconf-2026"],"discovered_at":"2026-05-28"},{"kind":"url","value":"https://oob.moika.tech/payload/linux.js","context":"Second-stage payload for Linux, fetched by postinstall hook on linux systems.","href":"/ti/ioc/url/url-ebd523705dbe","campaigns":["oob-moika-tech-depconf-2026"],"discovered_at":"2026-05-28"},{"kind":"file_path","value":"._cloudplatform-single-spa_init.js","context":"Temp file written by the postinstall hook when downloading the second-stage payload. Written to the OS temp directory (os.tmpdir()). Name is consistent across all packages regardless of scope.","href":"/ti/ioc/file_path/file_path-b7d5e2a03a48","campaigns":["oob-moika-tech-depconf-2026"],"discovered_at":"2026-05-28"},{"kind":"domain","value":"telemetry.car-loans.io","context":"Fabricated telemetry domain appearing only in @car-loans scope README text. Social engineering artifact — not confirmed functional C2. Declared opt-out: CAR_LOANS_NO_TELEMETRY=1. Actual exfiltration target is oob.moika.tech.","href":"/ti/ioc/domain/telemetry.car-loans.io","campaigns":["oob-moika-tech-depconf-2026"],"discovered_at":"2026-05-28"},{"kind":"domain","value":"telemetry.cloudplatform-single-spa.io","context":"Fabricated telemetry domain appearing only in @cloudplatform-single-spa scope README text. Social engineering artifact — not confirmed functional C2. Declared opt-out: CLOUDPLATFORM_SINGLE_SPA_NO_TELEMETRY=1. Actual exfiltration target is oob.moika.tech.","href":"/ti/ioc/domain/telemetry.cloudplatform-single-spa.io","campaigns":["oob-moika-tech-depconf-2026"],"discovered_at":"2026-05-28"},{"kind":"domain","value":"npm.car-loans.io","context":"Fabricated private npm registry domain in @car-loans README and .npmrc comment (registry=https://npm.car-loans.io). Social engineering artifact confirming target org uses a private npm registry — the precondition for dependency confusion. Not confirmed functional infrastructure.","href":"/ti/ioc/domain/npm.car-loans.io","campaigns":["oob-moika-tech-depconf-2026"],"discovered_at":"2026-05-28"},{"kind":"domain","value":"npm.cloudplatform-single-spa.io","context":"Fabricated private npm registry domain in @cloudplatform-single-spa README. Social engineering artifact confirming target org uses a private npm registry. Not confirmed functional infrastructure.","href":"/ti/ioc/domain/npm.cloudplatform-single-spa.io","campaigns":["oob-moika-tech-depconf-2026"],"discovered_at":"2026-05-28"},{"kind":"domain","value":"21baseballacademy.com","context":"Ad script delivery domain used by terminal3airport packages. Hosts external JS payload at cdn.21baseballacademy.com.","href":"/ti/ioc/domain/21baseballacademy.com","campaigns":[],"discovered_at":"2026-05-27"},{"kind":"domain","value":"abdct.com","context":"Popunder redirect destination triggered by adware in terminal3airport packages.","href":"/ti/ioc/domain/abdct.com","campaigns":[],"discovered_at":"2026-05-27"},{"kind":"domain","value":"woofbeginner.com","context":"Additional ad/monetization script host used by terminal3airport packages.","href":"/ti/ioc/domain/woofbeginner.com","campaigns":[],"discovered_at":"2026-05-27"},{"kind":"url","value":"https://cdn.21baseballacademy.com/script/jrqK2HPsliMjRW5Q.js","context":"External ad script injected into proxy pages by terminal3airport packages.","href":"/ti/ioc/url/url-b0d246209ba7","campaigns":[],"discovered_at":"2026-05-27"},{"kind":"url","value":"https://woofbeginner.com/0a/91/35/0a913561831bdf2c26dcf18b852b5cc1.js","context":"Additional monetization script loaded by terminal3airport adware.","href":"/ti/ioc/url/url-2975114f1199","campaigns":[],"discovered_at":"2026-05-27"},{"kind":"email","value":"adofhiter23@gmail.com","context":"npm maintainer email for terminal3airport account. Published all 141 malicious packages.","href":"/ti/ioc/email/adofhiter23@gmail.com","campaigns":[],"discovered_at":"2026-05-27"},{"kind":"github_repo","value":"lucideproxy/svg","context":"GitHub repository referenced in package source code. Associated with Lucide Proxy project.","href":"/ti/ioc/github_repo/github_repo-ad6147b12ea6","campaigns":[],"discovered_at":"2026-05-27"},{"kind":"sha256","value":"0d27f455ae056aa908c276d9b17a73d469227257838ec9bcbcb3f1c66169b5a4","context":"SHA-256 of obfuscated JS file a3g0q43tbe.js found in wave 2-3 packages.","href":"/ti/ioc/sha256/0d27f455ae056aa908c276d9b17a73d469227257838ec9bcbcb3f1c66169b5a4","campaigns":[],"discovered_at":"2026-05-27"},{"kind":"url","value":"ws://204.10.194.247:9877","context":"WebSocket C2 relay endpoint for forge-jsx RAT campaign","href":"/ti/ioc/url/url-253b2bf9df4b","campaigns":["forge-jsx RAT"],"discovered_at":"2026-05-26"},{"kind":"url","value":"http://204.10.194.247:8765","context":"HTTP API endpoint for forge-jsx RAT campaign","href":"/ti/ioc/url/url-cb4c7a0deb59","campaigns":["forge-jsx RAT"],"discovered_at":"2026-05-26"},{"kind":"email","value":"jacksonkaandorp2@outlook.com","context":"npm account email for jacksonkaandorp2, publisher of forge-jsxy (Wave 2)","href":"/ti/ioc/email/jacksonkaandorp2@outlook.com","campaigns":["forge-jsx RAT"],"discovered_at":"2026-05-26"},{"kind":"domain","value":"taohunter.ai","context":"Domain associated with johntaohunter npm account (Wave 1)","href":"/ti/ioc/domain/taohunter.ai","campaigns":["forge-jsx RAT"],"discovered_at":"2026-05-26"},{"kind":"sha256","value":"4938d47fe6216f8f9fee0527bf5112c04c15a9ea62f87869677619aa5400f09f","context":"SHA-256 of forge-jsxy v1.0.91 (latest Wave 2 version)","href":"/ti/ioc/sha256/4938d47fe6216f8f9fee0527bf5112c04c15a9ea62f87869677619aa5400f09f","campaigns":["forge-jsx RAT"],"discovered_at":"2026-05-26"},{"kind":"sha256","value":"8070daba5d6ca61c357574526d1e0f468ae575a4edf74cc90a8d8b8c78e3aeef","context":"SHA-256 of forge-jsxy v1.0.66 (first Wave 2 version)","href":"/ti/ioc/sha256/8070daba5d6ca61c357574526d1e0f468ae575a4edf74cc90a8d8b8c78e3aeef","campaigns":["forge-jsx RAT"],"discovered_at":"2026-05-26"},{"kind":"file_path","value":"~/.config/systemd/user/forge-js-worker.service","context":"Linux systemd persistence for forge-jsx RAT","href":"/ti/ioc/file_path/file_path-1cbc96dac65a","campaigns":["forge-jsx RAT"],"discovered_at":"2026-05-26"},{"kind":"file_path","value":"~/.config/autostart/forge-js-worker.desktop","context":"Linux XDG autostart persistence for forge-jsx RAT","href":"/ti/ioc/file_path/file_path-6146aef02482","campaigns":["forge-jsx RAT"],"discovered_at":"2026-05-26"},{"kind":"file_path","value":"~/Library/LaunchAgents/com.forgejs.worker.plist","context":"macOS LaunchAgent persistence for forge-jsx RAT","href":"/ti/ioc/file_path/file_path-e8d302abc731","campaigns":["forge-jsx RAT"],"discovered_at":"2026-05-26"},{"kind":"domain","value":"polymarketbot.polymarketdev.workers.dev","context":"Network indicator from blog post","href":"/ti/ioc/domain/polymarketbot.polymarketdev.workers.dev","campaigns":["Crypto Wallet Drainers"],"discovered_at":"2026-05-21"},{"kind":"sha256","value":"e01b85c1437085a519217338fe4ee5ed7858c28a10f8c1477b2f1857c3386edb","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/e01b85c1437085a519217338fe4ee5ed7858c28a10f8c1477b2f1857c3386edb","campaigns":["Crypto Wallet Drainers"],"discovered_at":"2026-05-21"},{"kind":"email","value":"dmtnatpepes@proton.me","context":"Email indicator from blog post","href":"/ti/ioc/email/dmtnatpepes@proton.me","campaigns":["Crypto Wallet Drainers"],"discovered_at":"2026-05-21"},{"kind":"domain","value":"utaq.cfww.shop","context":"Network indicator from blog post","href":"/ti/ioc/domain/utaq.cfww.shop","campaigns":["No Specific Campaign"],"discovered_at":"2026-05-20"},{"kind":"domain","value":"git.youzzjizz.com","context":"Network indicator from blog post","href":"/ti/ioc/domain/git.youzzjizz.com","campaigns":["No Specific Campaign"],"discovered_at":"2026-05-20"},{"kind":"ipv4","value":"180.178.50.158","context":"IP address indicator from blog post","href":"/ti/ioc/ipv4/180.178.50.158","campaigns":["No Specific Campaign"],"discovered_at":"2026-05-20"},{"kind":"ipv4","value":"172.67.141.14","context":"IP address indicator from blog post","href":"/ti/ioc/ipv4/172.67.141.14","campaigns":["No Specific Campaign"],"discovered_at":"2026-05-20"},{"kind":"ipv4","value":"104.21.40.254","context":"IP address indicator from blog post","href":"/ti/ioc/ipv4/104.21.40.254","campaigns":["No Specific Campaign"],"discovered_at":"2026-05-20"},{"kind":"sha256","value":"273206e2973df6ba7474aa66693797c98dcf26b794da4c3e863ab8d8c694868d","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/273206e2973df6ba7474aa66693797c98dcf26b794da4c3e863ab8d8c694868d","campaigns":["No Specific Campaign"],"discovered_at":"2026-05-20"},{"kind":"sha256","value":"5b5fe5d92808a732d0d44246cd706295cc739ed7f4dcae19112df666bc5d4f7d","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/5b5fe5d92808a732d0d44246cd706295cc739ed7f4dcae19112df666bc5d4f7d","campaigns":["No Specific Campaign"],"discovered_at":"2026-05-20"},{"kind":"sha256","value":"101afde88ff8b5c02fd341eda55022a39203088c2ff11dcb73214911cf5afb77","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/101afde88ff8b5c02fd341eda55022a39203088c2ff11dcb73214911cf5afb77","campaigns":["No Specific Campaign"],"discovered_at":"2026-05-20"},{"kind":"sha256","value":"d8e3973a0b3c5359d1f53a22491b56bdd31dee13a51c01c7126bc6694584512f","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/d8e3973a0b3c5359d1f53a22491b56bdd31dee13a51c01c7126bc6694584512f","campaigns":["No Specific Campaign"],"discovered_at":"2026-05-20"},{"kind":"sha256","value":"f31bdd069fe7966ae11be1f78ee5dd44445938856dd1df12379e0e84a6851f5c","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/f31bdd069fe7966ae11be1f78ee5dd44445938856dd1df12379e0e84a6851f5c","campaigns":["No Specific Campaign"],"discovered_at":"2026-05-20"},{"kind":"sha1","value":"57620206d62079baad0e57e6d9ec93120c0f5247","context":"SHA-1/commit-like hash from blog post","href":"/ti/ioc/sha1/57620206d62079baad0e57e6d9ec93120c0f5247","campaigns":["No Specific Campaign"],"discovered_at":"2026-05-20"},{"kind":"sha1","value":"14669ca3b1519ba2a8f40be287f646d4d7593eb0","context":"SHA-1/commit-like hash from blog post","href":"/ti/ioc/sha1/14669ca3b1519ba2a8f40be287f646d4d7593eb0","campaigns":["No Specific Campaign"],"discovered_at":"2026-05-20"},{"kind":"md5","value":"7d86eb847ecfd3c972fa457a6abaa0da","context":"MD5 hash from blog post","href":"/ti/ioc/md5/7d86eb847ecfd3c972fa457a6abaa0da","campaigns":[],"discovered_at":"2026-05-20"},{"kind":"email","value":"goofychris69@gmail.com","context":"Email indicator from blog post","href":"/ti/ioc/email/goofychris69@gmail.com","campaigns":[],"discovered_at":"2026-05-20"},{"kind":"email","value":"npmpacketmaintainmember7@proton.me","context":"Email indicator from blog post","href":"/ti/ioc/email/npmpacketmaintainmember7@proton.me","campaigns":[],"discovered_at":"2026-05-20"},{"kind":"email","value":"1987.tangbin@gmail.com","context":"Email indicator from blog post","href":"/ti/ioc/email/1987.tangbin@gmail.com","campaigns":[],"discovered_at":"2026-05-20"},{"kind":"email","value":"eb8org@gmail.com","context":"Email indicator from blog post","href":"/ti/ioc/email/eb8org@gmail.com","campaigns":[],"discovered_at":"2026-05-20"},{"kind":"domain","value":"check.git-service.com","context":"Network indicator from blog post","href":"/ti/ioc/domain/check.git-service.com","campaigns":["Mini Shai-Hulud"],"discovered_at":"2026-05-20"},{"kind":"domain","value":"www.youtube.com","context":"Network indicator from blog post","href":"/ti/ioc/domain/www.youtube.com","campaigns":["Mini Shai-Hulud"],"discovered_at":"2026-05-20"},{"kind":"ipv4","value":"160.119.64.3","context":"IP address indicator from blog post","href":"/ti/ioc/ipv4/160.119.64.3","campaigns":["Mini Shai-Hulud"],"discovered_at":"2026-05-20"},{"kind":"ipv4","value":"185.95.159.32","context":"IP address indicator from blog post","href":"/ti/ioc/ipv4/185.95.159.32","campaigns":["Mini Shai-Hulud"],"discovered_at":"2026-05-20"},{"kind":"sha256","value":"3de04fe2a76262743ed089efa7115f4508619838e77d60b9a1aab8b20d2cc8bf","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/3de04fe2a76262743ed089efa7115f4508619838e77d60b9a1aab8b20d2cc8bf","campaigns":["Mini Shai-Hulud"],"discovered_at":"2026-05-20"},{"kind":"sha256","value":"85f54c089d78ebfb101454ec934c767065a342a43c9ee1beac8430cdd3b2086f","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/85f54c089d78ebfb101454ec934c767065a342a43c9ee1beac8430cdd3b2086f","campaigns":["Mini Shai-Hulud"],"discovered_at":"2026-05-20"},{"kind":"sha256","value":"c0b094e46842260936d4b97ce63e4539b99a3eae48b736798c700217c52569dc","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/c0b094e46842260936d4b97ce63e4539b99a3eae48b736798c700217c52569dc","campaigns":["Mini Shai-Hulud"],"discovered_at":"2026-05-20"},{"kind":"sha256","value":"069ac1dc7f7649b76bc72a11ac700f373804bfd81dab7e561157b703999f44ce","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/069ac1dc7f7649b76bc72a11ac700f373804bfd81dab7e561157b703999f44ce","campaigns":["Mini Shai-Hulud"],"discovered_at":"2026-05-20"},{"kind":"domain","value":"t.m-kosche.com","context":"Network indicator from blog post","href":"/ti/ioc/domain/t.m-kosche.com","campaigns":["Mini Shai-Hulud"],"discovered_at":"2026-05-19"},{"kind":"ipv4","value":"169.254.170.2","context":"AWS ECS task metadata endpoint queried for credentials","href":"/ti/ioc/ipv4/169.254.170.2","campaigns":["Mini Shai-Hulud","Miasma: The Spreading Blight"],"discovered_at":"2026-05-19"},{"kind":"sha256","value":"a68dd1e6a6e35ec3771e1f94fe796f55dfe65a2b94560516ff4ac189390dfa1c","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/a68dd1e6a6e35ec3771e1f94fe796f55dfe65a2b94560516ff4ac189390dfa1c","campaigns":["Mini Shai-Hulud"],"discovered_at":"2026-05-19"},{"kind":"sha1","value":"1916faa365f2788b6e193514872d51a242876569","context":"SHA-1/commit-like hash from blog post","href":"/ti/ioc/sha1/1916faa365f2788b6e193514872d51a242876569","campaigns":["Mini Shai-Hulud"],"discovered_at":"2026-05-19"},{"kind":"sha1","value":"7cb42f57561c321ecb09b4552802ae0ac55b3a7a","context":"SHA-1/commit-like hash from blog post","href":"/ti/ioc/sha1/7cb42f57561c321ecb09b4552802ae0ac55b3a7a","campaigns":["Mini Shai-Hulud"],"discovered_at":"2026-05-19"},{"kind":"sha1","value":"dc3d62a2181beb9f326952a2d212900c94f2e13d","context":"SHA-1/commit-like hash from blog post","href":"/ti/ioc/sha1/dc3d62a2181beb9f326952a2d212900c94f2e13d","campaigns":["Mini Shai-Hulud"],"discovered_at":"2026-05-19"},{"kind":"email","value":"i@hust.cc","context":"Email indicator from blog post","href":"/ti/ioc/email/i@hust.cc","campaigns":["Mini Shai-Hulud"],"discovered_at":"2026-05-19"},{"kind":"email","value":"alexzjt@users.noreply.github.com","context":"Email indicator from blog post","href":"/ti/ioc/email/alexzjt@users.noreply.github.com","campaigns":["Mini Shai-Hulud"],"discovered_at":"2026-05-19"},{"kind":"ipv4","value":"1.1.1.1","context":"IP address indicator from blog post","href":"/ti/ioc/ipv4/1.1.1.1","campaigns":["Mini Shai-Hulud"],"discovered_at":"2026-05-14"},{"kind":"ipv4","value":"8.8.8.8","context":"IP address indicator from blog post","href":"/ti/ioc/ipv4/8.8.8.8","campaigns":["Mini Shai-Hulud"],"discovered_at":"2026-05-14"},{"kind":"sha256","value":"449e4265979b5fdb2d3446c021af437e815debd66de7da2fe54f1ad93cbcc75e","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/449e4265979b5fdb2d3446c021af437e815debd66de7da2fe54f1ad93cbcc75e","campaigns":["Mini Shai-Hulud"],"discovered_at":"2026-05-14"},{"kind":"sha256","value":"c2f4dc64aec4631540a568e88932b61daebbfb7e8281b812fa01b7215f9be9ea","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/c2f4dc64aec4631540a568e88932b61daebbfb7e8281b812fa01b7215f9be9ea","campaigns":["Mini Shai-Hulud"],"discovered_at":"2026-05-14"},{"kind":"sha256","value":"78a82d93b4f580835f5823b85a3d9ee1f03a15ee6f0e01b4eac86252a7002981","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/78a82d93b4f580835f5823b85a3d9ee1f03a15ee6f0e01b4eac86252a7002981","campaigns":["Mini Shai-Hulud"],"discovered_at":"2026-05-14"},{"kind":"sha256","value":"3427a90c8cb9af764445448648176e120ebc6af0a538158340cf6220de4d01b7","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/3427a90c8cb9af764445448648176e120ebc6af0a538158340cf6220de4d01b7","campaigns":["Mini Shai-Hulud"],"discovered_at":"2026-05-14"},{"kind":"sha256","value":"fdba4191831a13debf9d8c0c940b0301c7b7f01d27f1b1c73ed3ceaa2db4103b","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/fdba4191831a13debf9d8c0c940b0301c7b7f01d27f1b1c73ed3ceaa2db4103b","campaigns":["Mini Shai-Hulud"],"discovered_at":"2026-05-14"},{"kind":"email","value":"a.tiertant@atlantis-software.net","context":"Email indicator from blog post","href":"/ti/ioc/email/a.tiertant@atlantis-software.net","campaigns":["Mini Shai-Hulud"],"discovered_at":"2026-05-14"},{"kind":"ipv4","value":"207.90.194.2","context":"IP address indicator from blog post","href":"/ti/ioc/ipv4/207.90.194.2","campaigns":["Claude Code Hook Backdoors"],"discovered_at":"2026-05-13"},{"kind":"sha1","value":"8daaa2003784a92f4761ed3c9d5560ef8cf4bffa","context":"SHA-1/commit-like hash from blog post","href":"/ti/ioc/sha1/8daaa2003784a92f4761ed3c9d5560ef8cf4bffa","campaigns":["Claude Code Hook Backdoors"],"discovered_at":"2026-05-13"},{"kind":"md5","value":"b604b21749a396111bb111d46d97b1c4","context":"MD5 hash from blog post","href":"/ti/ioc/md5/b604b21749a396111bb111d46d97b1c4","campaigns":["Claude Code Hook Backdoors"],"discovered_at":"2026-05-13"},{"kind":"domain","value":"git-tanstack.com","context":"Network indicator from blog post","href":"/ti/ioc/domain/git-tanstack.com","campaigns":["Mini Shai-Hulud"],"discovered_at":"2026-05-12"},{"kind":"domain","value":"filev2.getsession.org","context":"Network indicator from blog post","href":"/ti/ioc/domain/filev2.getsession.org","campaigns":["Mini Shai-Hulud"],"discovered_at":"2026-05-12"},{"kind":"domain","value":"169.254.169.254","context":"Network indicator from blog post","href":"/ti/ioc/domain/169.254.169.254","campaigns":["Mini Shai-Hulud"],"discovered_at":"2026-05-12"},{"kind":"sha256","value":"ce7e4199506959fd7a71b64209b2c07b9c82e53a946aa7d78298dc9249230d01","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/ce7e4199506959fd7a71b64209b2c07b9c82e53a946aa7d78298dc9249230d01","campaigns":["Mini Shai-Hulud"],"discovered_at":"2026-05-12"},{"kind":"sha1","value":"79ac49eedf774dd4b0cfa308722bc463cfe5885c","context":"SHA-1/commit-like hash from blog post","href":"/ti/ioc/sha1/79ac49eedf774dd4b0cfa308722bc463cfe5885c","campaigns":["Mini Shai-Hulud"],"discovered_at":"2026-05-12"},{"kind":"domain","value":"82.221.101.203","context":"Network indicator from blog post","href":"/ti/ioc/domain/82.221.101.203","campaigns":["No Specific Campaign"],"discovered_at":"2026-05-10"},{"kind":"ipv4","value":"82.221.101.203","context":"IP address indicator from blog post","href":"/ti/ioc/ipv4/82.221.101.203","campaigns":["No Specific Campaign"],"discovered_at":"2026-05-10"},{"kind":"sha256","value":"263df2348f54f1f4980542a41f69d77b085fb28091a95979ba7f0e9f3d0da861","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/263df2348f54f1f4980542a41f69d77b085fb28091a95979ba7f0e9f3d0da861","campaigns":["No Specific Campaign"],"discovered_at":"2026-05-10"},{"kind":"email","value":"noondeved94ed@wshu.net","context":"Email indicator from blog post","href":"/ti/ioc/email/noondeved94ed@wshu.net","campaigns":["No Specific Campaign"],"discovered_at":"2026-05-10"},{"kind":"domain","value":"172.86.73.132","context":"Network indicator from blog post","href":"/ti/ioc/domain/172.86.73.132","campaigns":["No Specific Campaign"],"discovered_at":"2026-05-07"},{"kind":"ipv4","value":"172.86.73.132","context":"IP address indicator from blog post","href":"/ti/ioc/ipv4/172.86.73.132","campaigns":["No Specific Campaign"],"discovered_at":"2026-05-07"},{"kind":"sha256","value":"86d17961e9662c53e1fb61701388b7c741bf79c093061df968a3e53c829dcb16","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/86d17961e9662c53e1fb61701388b7c741bf79c093061df968a3e53c829dcb16","campaigns":["No Specific Campaign"],"discovered_at":"2026-05-07"},{"kind":"email","value":"info@w8r.name","context":"Email indicator from blog post","href":"/ti/ioc/email/info@w8r.name","campaigns":["No Specific Campaign"],"discovered_at":"2026-05-07"},{"kind":"email","value":"daltonchristiano060@gmail.com","context":"Email indicator from blog post","href":"/ti/ioc/email/daltonchristiano060@gmail.com","campaigns":["No Specific Campaign"],"discovered_at":"2026-05-07"},{"kind":"domain","value":"paidgirl.site","context":"Operator-controlled origin allow-listed in common-tg-service auth guard","href":"/ti/ioc/domain/paidgirl.site","campaigns":[],"discovered_at":"2026-05-03"},{"kind":"domain","value":"cms.paidgirl.site","context":"ams-ssk deployment serving folders/:folder/files/download-all consumed by common-tg-service","href":"/ti/ioc/domain/cms.paidgirl.site","campaigns":["shetty123 Telegram Hijack"],"discovered_at":"2026-05-03"},{"kind":"domain","value":"helper-thge.onrender.com","context":"Attribution-laundering HTTP relay; used by common-tg-service on 403/495 responses","href":"/ti/ioc/domain/helper-thge.onrender.com","campaigns":["shetty123 Telegram Hijack"],"discovered_at":"2026-05-03"},{"kind":"domain","value":"promoteclients2.glitch.me","context":"Operator host leaked in ams-ssk Swagger DTO; sequential staging (promoteClients2)","href":"/ti/ioc/domain/promoteclients2.glitch.me","campaigns":[],"discovered_at":"2026-05-03"},{"kind":"domain","value":"zomcall.netlify.app","context":"Allowed origin in common-tg-service auth guard","href":"/ti/ioc/domain/zomcall.netlify.app","campaigns":[],"discovered_at":"2026-05-03"},{"kind":"domain","value":"report-upi.netlify.app","context":"Allowed origin; names the UPI/India targeting","href":"/ti/ioc/domain/report-upi.netlify.app","campaigns":[],"discovered_at":"2026-05-03"},{"kind":"email","value":"storeslaksmi@gmail.com","context":"Hardcoded 2FA recovery email implanted on every hijacked Telegram account","href":"/ti/ioc/email/storeslaksmi@gmail.com","campaigns":["shetty123 Telegram Hijack"],"discovered_at":"2026-05-03"},{"kind":"email","value":"dodieajt@gmail.com","context":"Operator npoint.io account credentials committed in npoint.service.js","href":"/ti/ioc/email/dodieajt@gmail.com","campaigns":[],"discovered_at":"2026-05-03"},{"kind":"email","value":"shettysaikumar3@gmail.com","context":"npm publisher email for shetty123 (publisher of both packages)","href":"/ti/ioc/email/shettysaikumar3@gmail.com","campaigns":[],"discovered_at":"2026-05-03"},{"kind":"ipv4","value":"31.97.59.2","context":"Operator IP allow-listed in common-tg-service auth guard","href":"/ti/ioc/ipv4/31.97.59.2","campaigns":[],"discovered_at":"2026-05-03"},{"kind":"ipv4","value":"148.230.84.50","context":"Operator IP allow-listed in common-tg-service auth guard","href":"/ti/ioc/ipv4/148.230.84.50","campaigns":[],"discovered_at":"2026-05-03"},{"kind":"ipv4","value":"13.228.225.19","context":"Operator IP allow-listed in common-tg-service auth guard","href":"/ti/ioc/ipv4/13.228.225.19","campaigns":[],"discovered_at":"2026-05-03"},{"kind":"ipv4","value":"18.142.128.26","context":"Operator IP allow-listed in common-tg-service auth guard","href":"/ti/ioc/ipv4/18.142.128.26","campaigns":[],"discovered_at":"2026-05-03"},{"kind":"ipv4","value":"54.254.162.138","context":"Operator IP allow-listed in common-tg-service auth guard","href":"/ti/ioc/ipv4/54.254.162.138","campaigns":[],"discovered_at":"2026-05-03"},{"kind":"sha1","value":"5061bc9611e31a48a8085cfab4cb875a6cc633ec","context":"common-tg-service-1.3.207.tgz npm tarball","href":"/ti/ioc/sha1/5061bc9611e31a48a8085cfab4cb875a6cc633ec","campaigns":[],"discovered_at":"2026-05-03"},{"kind":"sha1","value":"80da04770a779330803bdd00d00a354adc12859a","context":"ams-ssk-1.0.33.tgz npm tarball","href":"/ti/ioc/sha1/80da04770a779330803bdd00d00a354adc12859a","campaigns":[],"discovered_at":"2026-05-03"},{"kind":"domain","value":"152.67.0.53","context":"Network indicator from blog post","href":"/ti/ioc/domain/152.67.0.53","campaigns":["tanvisoul9 npm Backdoors"],"discovered_at":"2026-05-03"},{"kind":"ipv4","value":"152.67.0.53","context":"IP address indicator from blog post","href":"/ti/ioc/ipv4/152.67.0.53","campaigns":["tanvisoul9 npm Backdoors"],"discovered_at":"2026-05-03"},{"kind":"sha256","value":"e2fda5aa8397799669f29258f69e803cf05d322c1d93269eef6754ca024c3865","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/e2fda5aa8397799669f29258f69e803cf05d322c1d93269eef6754ca024c3865","campaigns":["fucktestpad npm Malware"],"discovered_at":"2026-05-01"},{"kind":"sha256","value":"3071422c3294e7b61cb490c57c48c8dea569bacf12e57a078293b6547d7586d3","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/3071422c3294e7b61cb490c57c48c8dea569bacf12e57a078293b6547d7586d3","campaigns":["Shai-Hulud"],"discovered_at":"2026-04-30"},{"kind":"sha256","value":"56070a9d8de0c0ffb1ec5c309953cf4679432df5a78df9aeb020fbb73d2be9fb","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/56070a9d8de0c0ffb1ec5c309953cf4679432df5a78df9aeb020fbb73d2be9fb","campaigns":["Shai-Hulud"],"discovered_at":"2026-04-30"},{"kind":"sha256","value":"5f5852b5f604369945118937b058e49064612ac69826e0adadca39a357dfb5b1","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/5f5852b5f604369945118937b058e49064612ac69826e0adadca39a357dfb5b1","campaigns":["Shai-Hulud"],"discovered_at":"2026-04-30"},{"kind":"sha256","value":"d2815d425ae08cc627f1db69009442165f8bbc64b7e9157e2ff9d7aab02094d4","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/d2815d425ae08cc627f1db69009442165f8bbc64b7e9157e2ff9d7aab02094d4","campaigns":["Shai-Hulud"],"discovered_at":"2026-04-30"},{"kind":"sha256","value":"8046a11187c135da6959862ff3846e99ad15462d2ec8a2f77a30ad53ebd5dcf2","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/8046a11187c135da6959862ff3846e99ad15462d2ec8a2f77a30ad53ebd5dcf2","campaigns":["Shai-Hulud"],"discovered_at":"2026-04-30"},{"kind":"sha256","value":"2d4e21d2e78d0868ce7894487e67c67f929d8d81d78c5b07a3ad225b13eae890","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/2d4e21d2e78d0868ce7894487e67c67f929d8d81d78c5b07a3ad225b13eae890","campaigns":["Shai-Hulud"],"discovered_at":"2026-04-30"},{"kind":"sha1","value":"0a3dd44d361c34cd9036eeb3f49601160a636648","context":"SHA-1/commit-like hash from blog post","href":"/ti/ioc/sha1/0a3dd44d361c34cd9036eeb3f49601160a636648","campaigns":["Mini Shai-Hulud"],"discovered_at":"2026-04-29"},{"kind":"email","value":"cap@sap.com","context":"Email indicator from blog post","href":"/ti/ioc/email/cap@sap.com","campaigns":["Mini Shai-Hulud"],"discovered_at":"2026-04-29"},{"kind":"email","value":"mob.extrepo.stores@sap.com","context":"Email indicator from blog post","href":"/ti/ioc/email/mob.extrepo.stores@sap.com","campaigns":["Mini Shai-Hulud"],"discovered_at":"2026-04-29"},{"kind":"email","value":"claude@users.noreply.github.com","context":"Spoofed git commit author identity used to plant the binary dropper and blend with AI-assistant automation. Also seen across the Shai-Hulud / Mini Shai-Hulud worm family.","href":"/ti/ioc/email/claude@users.noreply.github.com","campaigns":["Mini Shai-Hulud","Miasma: The Spreading Blight","IronWorm"],"discovered_at":"2026-04-29"},{"kind":"domain","value":"franki.requestcatcher.com","context":"Network indicator from blog post","href":"/ti/ioc/domain/franki.requestcatcher.com","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-29"},{"kind":"ipv4","value":"169.254.169.254","context":"AWS IMDS endpoint queried for cloud credentials","href":"/ti/ioc/ipv4/169.254.169.254","campaigns":["No Specific Campaign","Mini Shai-Hulud","Miasma: The Spreading Blight"],"discovered_at":"2026-04-29"},{"kind":"email","value":"npmtpoc@gmail.com","context":"Email indicator from blog post","href":"/ti/ioc/email/npmtpoc@gmail.com","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-29"},{"kind":"ipv4","value":"18.208.244.120","context":"IP address indicator from blog post","href":"/ti/ioc/ipv4/18.208.244.120","campaigns":["Crypto Wallet Drainers"],"discovered_at":"2026-04-29"},{"kind":"md5","value":"0123456789abcdef0123456789abcdef","context":"MD5 hash from blog post","href":"/ti/ioc/md5/0123456789abcdef0123456789abcdef","campaigns":["Crypto Wallet Drainers"],"discovered_at":"2026-04-29"},{"kind":"domain","value":"audit.checkmarx.cx","context":"Network indicator from blog post","href":"/ti/ioc/domain/audit.checkmarx.cx","campaigns":["TeamPCP"],"discovered_at":"2026-04-24"},{"kind":"ipv4","value":"94.154.172.43","context":"IP address indicator from blog post","href":"/ti/ioc/ipv4/94.154.172.43","campaigns":["TeamPCP"],"discovered_at":"2026-04-24"},{"kind":"sha256","value":"18f784b3bc9a0bcdcb1a8d7f51bc5f54323fc40cbd874119354ab609bef6e4cb","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/18f784b3bc9a0bcdcb1a8d7f51bc5f54323fc40cbd874119354ab609bef6e4cb","campaigns":["TeamPCP"],"discovered_at":"2026-04-24"},{"kind":"sha256","value":"8605e365edf11160aad517c7d79a3b26b62290e5072ef97b102a01ddbb343f14","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/8605e365edf11160aad517c7d79a3b26b62290e5072ef97b102a01ddbb343f14","campaigns":["TeamPCP"],"discovered_at":"2026-04-24"},{"kind":"sha1","value":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","context":"SHA-1/commit-like hash from blog post","href":"/ti/ioc/sha1/de0fac2e4500dabe0009e67214ff5f5447ce83dd","campaigns":["TeamPCP","Mini Shai-Hulud"],"discovered_at":"2026-04-24"},{"kind":"sha1","value":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","context":"SHA-1/commit-like hash from blog post","href":"/ti/ioc/sha1/bbbca2ddaa5d8feaa63e36b76fdaad77386f024f","campaigns":["TeamPCP","Mini Shai-Hulud"],"discovered_at":"2026-04-24"},{"kind":"ipv4","value":"0.0.0.0","context":"IP address indicator from blog post","href":"/ti/ioc/ipv4/0.0.0.0","campaigns":["fucktestpad npm Malware"],"discovered_at":"2026-04-16"},{"kind":"email","value":"fucktestpad@opemails.com","context":"Email indicator from blog post","href":"/ti/ioc/email/fucktestpad@opemails.com","campaigns":["fucktestpad npm Malware"],"discovered_at":"2026-04-16"},{"kind":"domain","value":"204.10.194.247","context":"Network indicator from blog post","href":"/ti/ioc/domain/204.10.194.247","campaigns":["forge-jsx RAT"],"discovered_at":"2026-04-15"},{"kind":"ipv4","value":"204.10.194.247","context":"C2 server (AS206216 Advin Services LLC, Nurnberg DE). WebSocket relay on port 9877, HTTP API on port 8765. Shared across all forge-jsx/forge-jsxy waves.","href":"/ti/ioc/ipv4/204.10.194.247","campaigns":["forge-jsx RAT"],"discovered_at":"2026-04-15"},{"kind":"sha256","value":"4cb96c3b033c1aaf7b3d0fe54749058f14d4d914947a6d6d430aca108a7daa5a","context":"SHA-256 of forge-jsx (Wave 1)","href":"/ti/ioc/sha256/4cb96c3b033c1aaf7b3d0fe54749058f14d4d914947a6d6d430aca108a7daa5a","campaigns":["forge-jsx RAT"],"discovered_at":"2026-04-15"},{"kind":"email","value":"john@taohunter.ai","context":"npm account email for johntaohunter, publisher of @johntaohunter/forge-jsx","href":"/ti/ioc/email/john@taohunter.ai","campaigns":["forge-jsx RAT"],"discovered_at":"2026-04-15"},{"kind":"email","value":"johnceballos0716@gmail.com","context":"npm account email for johnceballos0716, publisher of forge-jsx (Wave 1)","href":"/ti/ioc/email/johnceballos0716@gmail.com","campaigns":["forge-jsx RAT"],"discovered_at":"2026-04-15"},{"kind":"domain","value":"api-sub.jrodacooker.dev","context":"Earlier C2 domain for js-logger-pack, DNS since removed","href":"/ti/ioc/domain/api-sub.jrodacooker.dev","campaigns":["Contagious Interview"],"discovered_at":"2026-04-15"},{"kind":"domain","value":"huggingface.co","context":"Network indicator from blog post","href":"/ti/ioc/domain/huggingface.co","campaigns":["Contagious Interview"],"discovered_at":"2026-04-15"},{"kind":"ipv4","value":"195.201.194.107","context":"WebSocket + HTTP C2 server on port 8010. Hetzner, DE, AS24940. Secondary hostname: copilot-ai.whisdev.org.","href":"/ti/ioc/ipv4/195.201.194.107","campaigns":["Contagious Interview"],"discovered_at":"2026-04-15"},{"kind":"sha256","value":"a49eee6b6db9da14db46587b68bf1d8a80976812f629bf3e100ac6ba83cf8490","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/a49eee6b6db9da14db46587b68bf1d8a80976812f629bf3e100ac6ba83cf8490","campaigns":["Contagious Interview"],"discovered_at":"2026-04-15"},{"kind":"sha256","value":"6ce3b22b07fd5aef1dd77237334d80718601e4e02a706485572d3dda8993a4e3","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/6ce3b22b07fd5aef1dd77237334d80718601e4e02a706485572d3dda8993a4e3","campaigns":["Contagious Interview"],"discovered_at":"2026-04-15"},{"kind":"sha256","value":"571533a643e67c38087f4da8cce0d3dc14670a52403717e4943433d392860a7f","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/571533a643e67c38087f4da8cce0d3dc14670a52403717e4943433d392860a7f","campaigns":["Contagious Interview"],"discovered_at":"2026-04-15"},{"kind":"sha256","value":"585c5ab1fea06bed4956e34ffd6d6b576122addd34d252b163ae0801098e9eaf","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/585c5ab1fea06bed4956e34ffd6d6b576122addd34d252b163ae0801098e9eaf","campaigns":["Contagious Interview"],"discovered_at":"2026-04-15"},{"kind":"sha256","value":"9f0a7174f9537bdbf63fe2329cea9a14198076180390af9f43a0e5b5c7c46912","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/9f0a7174f9537bdbf63fe2329cea9a14198076180390af9f43a0e5b5c7c46912","campaigns":["Contagious Interview"],"discovered_at":"2026-04-15"},{"kind":"sha256","value":"e35801137cd09fa02aa996145d18ec68d67d71db9810f2608a6285ee1c08b054","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/e35801137cd09fa02aa996145d18ec68d67d71db9810f2608a6285ee1c08b054","campaigns":["Contagious Interview"],"discovered_at":"2026-04-15"},{"kind":"sha256","value":"df45bbac7695f0edad3edde36904f2722f2af761887744a2f1d65df705d28dc6","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/df45bbac7695f0edad3edde36904f2722f2af761887744a2f1d65df705d28dc6","campaigns":["Contagious Interview"],"discovered_at":"2026-04-15"},{"kind":"sha256","value":"43c93c609d48b6cb4f1275c285b5e6960ef74e7f5811b442e3c1038d49128d73","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/43c93c609d48b6cb4f1275c285b5e6960ef74e7f5811b442e3c1038d49128d73","campaigns":["Contagious Interview"],"discovered_at":"2026-04-15"},{"kind":"sha256","value":"dbbc31c641c2f1b9a867e745c30dda27dff2db7d91f9faddcf08a504ca2a9d11","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/dbbc31c641c2f1b9a867e745c30dda27dff2db7d91f9faddcf08a504ca2a9d11","campaigns":[],"discovered_at":"2026-04-15"},{"kind":"sha1","value":"b0a0c8779961bcce1851d35125a7b48fc6ec7d5c","context":"SHA-1/commit-like hash from blog post","href":"/ti/ioc/sha1/b0a0c8779961bcce1851d35125a7b48fc6ec7d5c","campaigns":[],"discovered_at":"2026-04-15"},{"kind":"email","value":"jpeek868@gmail.com","context":"npm publisher account jpeek868, author of js-logger-pack. Part of jpeek account rotation cluster (jpeek868/886/895). DPRK Famous Chollima.","href":"/ti/ioc/email/jpeek868@gmail.com","campaigns":["Contagious Interview"],"discovered_at":"2026-04-15"},{"kind":"domain","value":"xienztiavkygvacpqzgr.supabase.co","context":"Network indicator from blog post","href":"/ti/ioc/domain/xienztiavkygvacpqzgr.supabase.co","campaigns":["tanvisoul9 npm Backdoors"],"discovered_at":"2026-04-14"},{"kind":"domain","value":"ndfcioahsbgsjmulpjgt.supabase.co","context":"Network indicator from blog post","href":"/ti/ioc/domain/ndfcioahsbgsjmulpjgt.supabase.co","campaigns":["tanvisoul9 npm Backdoors"],"discovered_at":"2026-04-14"},{"kind":"sha256","value":"4600db4fc30fb6ffa68deed4a25679e674bb3a3e8dae31f3dfc83bea0d757a8f","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/4600db4fc30fb6ffa68deed4a25679e674bb3a3e8dae31f3dfc83bea0d757a8f","campaigns":["tanvisoul9 npm Backdoors"],"discovered_at":"2026-04-14"},{"kind":"sha256","value":"2e131f47090516e5a60553aa40d46823e08162390c1d6deb075cf317f00309f7","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/2e131f47090516e5a60553aa40d46823e08162390c1d6deb075cf317f00309f7","campaigns":["tanvisoul9 npm Backdoors"],"discovered_at":"2026-04-14"},{"kind":"email","value":"tanvisoul9@gmail.com","context":"Email indicator from blog post","href":"/ti/ioc/email/tanvisoul9@gmail.com","campaigns":["tanvisoul9 npm Backdoors"],"discovered_at":"2026-04-14"},{"kind":"domain","value":"64.227.183.144","context":"Network indicator from blog post","href":"/ti/ioc/domain/64.227.183.144","campaigns":["Enterprise Dependency Confusion"],"discovered_at":"2026-04-10"},{"kind":"ipv4","value":"64.227.183.144","context":"IP address indicator from blog post","href":"/ti/ioc/ipv4/64.227.183.144","campaigns":["Enterprise Dependency Confusion"],"discovered_at":"2026-04-10"},{"kind":"email","value":"victim59@proton.me","context":"Email indicator from blog post","href":"/ti/ioc/email/victim59@proton.me","campaigns":["Enterprise Dependency Confusion"],"discovered_at":"2026-04-10"},{"kind":"domain","value":"cloudflareinsights.vercel.app","context":"Network indicator from blog post","href":"/ti/ioc/domain/cloudflareinsights.vercel.app","campaigns":["big.js Typosquat SSH Backdoor"],"discovered_at":"2026-04-09"},{"kind":"domain","value":"cloudflarefirewall.vercel.app","context":"Network indicator from blog post","href":"/ti/ioc/domain/cloudflarefirewall.vercel.app","campaigns":["big.js Typosquat SSH Backdoor"],"discovered_at":"2026-04-09"},{"kind":"sha256","value":"55bee3abfa26a78989baae1053a778d3b4a984d5451621a851211a45fe2a82b9","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/55bee3abfa26a78989baae1053a778d3b4a984d5451621a851211a45fe2a82b9","campaigns":["big.js Typosquat SSH Backdoor"],"discovered_at":"2026-04-09"},{"kind":"sha256","value":"02a00a158ceedaaf7a4bf53002a74d60339d4668d463831fe218905816b72e07","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/02a00a158ceedaaf7a4bf53002a74d60339d4668d463831fe218905816b72e07","campaigns":["big.js Typosquat SSH Backdoor"],"discovered_at":"2026-04-09"},{"kind":"sha256","value":"9d2037fc0ad9ada672d30e17a9496cbde392c5093a9fde0b8f16d28e2e0c50c7","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/9d2037fc0ad9ada672d30e17a9496cbde392c5093a9fde0b8f16d28e2e0c50c7","campaigns":["big.js Typosquat SSH Backdoor"],"discovered_at":"2026-04-09"},{"kind":"sha256","value":"7bff4518f4d49ddf3d04d8167a6f5f17aed9b3703290f65cf71c61ea61f0a7bc","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/7bff4518f4d49ddf3d04d8167a6f5f17aed9b3703290f65cf71c61ea61f0a7bc","campaigns":["big.js Typosquat SSH Backdoor"],"discovered_at":"2026-04-09"},{"kind":"sha256","value":"aa36d4bee44ee1d35af0e211e8cca957044c782b177787b1181d18d6d6323037","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/aa36d4bee44ee1d35af0e211e8cca957044c782b177787b1181d18d6d6323037","campaigns":["big.js Typosquat SSH Backdoor"],"discovered_at":"2026-04-09"},{"kind":"sha256","value":"f4914c528cf92a7e97ac3b24138afb86b4cd9db6960d92ffbbff36a1fb90ead9","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/f4914c528cf92a7e97ac3b24138afb86b4cd9db6960d92ffbbff36a1fb90ead9","campaigns":["big.js Typosquat SSH Backdoor"],"discovered_at":"2026-04-09"},{"kind":"sha256","value":"fc095d3e6a613e27d267d80b448101ef78b02ec07dd3993c734202839015fb54","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/fc095d3e6a613e27d267d80b448101ef78b02ec07dd3993c734202839015fb54","campaigns":["big.js Typosquat SSH Backdoor"],"discovered_at":"2026-04-09"},{"kind":"sha256","value":"86f60a2196c3d1355efdcfee41f1549c30c6081bf6c106d11e44a64691f8ebd3","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/86f60a2196c3d1355efdcfee41f1549c30c6081bf6c106d11e44a64691f8ebd3","campaigns":["big.js Typosquat SSH Backdoor"],"discovered_at":"2026-04-09"},{"kind":"email","value":"vanes.s.p.orit.a@googlemail.com","context":"Email indicator from blog post","href":"/ti/ioc/email/vanes.s.p.orit.a@googlemail.com","campaigns":["big.js Typosquat SSH Backdoor"],"discovered_at":"2026-04-09"},{"kind":"email","value":"support@polymarket.com","context":"Email indicator from blog post","href":"/ti/ioc/email/support@polymarket.com","campaigns":["big.js Typosquat SSH Backdoor"],"discovered_at":"2026-04-09"},{"kind":"email","value":"m8ch88l@gmail.com","context":"Email indicator from blog post","href":"/ti/ioc/email/m8ch88l@gmail.com","campaigns":[],"discovered_at":"2026-04-09"},{"kind":"domain","value":"telemetry.api-monitor.com","context":"Network indicator from blog post","href":"/ti/ioc/domain/telemetry.api-monitor.com","campaigns":["fairwords Credential Worm"],"discovered_at":"2026-04-08"},{"kind":"ipv4","value":"143.198.237.25","context":"IP address indicator from blog post","href":"/ti/ioc/ipv4/143.198.237.25","campaigns":["fairwords Credential Worm"],"discovered_at":"2026-04-08"},{"kind":"ipv4","value":"23.236.116.77","context":"IP address indicator from blog post","href":"/ti/ioc/ipv4/23.236.116.77","campaigns":["fairwords Credential Worm"],"discovered_at":"2026-04-08"},{"kind":"ipv4","value":"209.34.235.18","context":"IP address indicator from blog post","href":"/ti/ioc/ipv4/209.34.235.18","campaigns":["fairwords Credential Worm"],"discovered_at":"2026-04-08"},{"kind":"sha256","value":"4dbecce9ab3cf1739a9b90f9a9f304a3a44f69332320ae0753c129cf078e6f34","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/4dbecce9ab3cf1739a9b90f9a9f304a3a44f69332320ae0753c129cf078e6f34","campaigns":["fairwords Credential Worm"],"discovered_at":"2026-04-08"},{"kind":"sha256","value":"513eed96cabdea495a7141666eb77216dee6f0754ef643917346a47a2ff61476","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/513eed96cabdea495a7141666eb77216dee6f0754ef643917346a47a2ff61476","campaigns":["fairwords Credential Worm"],"discovered_at":"2026-04-08"},{"kind":"sha256","value":"834b6e5db5710b9308d0598978a0148a9dc832361f1fa0b7ad4343dcceba2812","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/834b6e5db5710b9308d0598978a0148a9dc832361f1fa0b7ad4343dcceba2812","campaigns":["fairwords Credential Worm"],"discovered_at":"2026-04-08"},{"kind":"domain","value":"89.36.224.5","context":"Network indicator from blog post","href":"/ti/ioc/domain/89.36.224.5","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-08"},{"kind":"domain","value":"datahub.ink","context":"Network indicator from blog post","href":"/ti/ioc/domain/datahub.ink","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-08"},{"kind":"domain","value":"cloud-sync.online","context":"Network indicator from blog post","href":"/ti/ioc/domain/cloud-sync.online","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-08"},{"kind":"domain","value":"byte-io.us","context":"Network indicator from blog post","href":"/ti/ioc/domain/byte-io.us","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-08"},{"kind":"domain","value":"api.ipify.org","context":"Network indicator from blog post","href":"/ti/ioc/domain/api.ipify.org","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-08"},{"kind":"domain","value":"ipinfo.io","context":"Legitimate service abused by Epsilon Stealer for victim geolocation (GET /json). Also used for sandbox IP blacklist check.","href":"/ti/ioc/domain/ipinfo.io","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-08"},{"kind":"ipv4","value":"89.36.224.5","context":"IP address indicator from blog post","href":"/ti/ioc/ipv4/89.36.224.5","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-08"},{"kind":"ipv4","value":"208.115.220.17","context":"IP address indicator from blog post","href":"/ti/ioc/ipv4/208.115.220.17","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-08"},{"kind":"sha256","value":"0a8ab3d16b12d3a453ee5a3208fe04744ad54514ef8ea27bb8fe32679efad270","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/0a8ab3d16b12d3a453ee5a3208fe04744ad54514ef8ea27bb8fe32679efad270","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-08"},{"kind":"sha256","value":"0b028b781950641818800fee2b4bf68e4ef2bcee53fe71a21755275ba108783d","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/0b028b781950641818800fee2b4bf68e4ef2bcee53fe71a21755275ba108783d","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-08"},{"kind":"sha1","value":"dfd224461edb06c556ee0d5677bd78ddda80b910","context":"SHA-1/commit-like hash from blog post","href":"/ti/ioc/sha1/dfd224461edb06c556ee0d5677bd78ddda80b910","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-08"},{"kind":"domain","value":"prod.universitecentrale.net","context":"Network indicator from blog post","href":"/ti/ioc/domain/prod.universitecentrale.net","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-06"},{"kind":"domain","value":"urlvoelpilswwxkiosey.supabase.co","context":"Network indicator from blog post","href":"/ti/ioc/domain/urlvoelpilswwxkiosey.supabase.co","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-06"},{"kind":"domain","value":"chat.universitecentrale.net","context":"Network indicator from blog post","href":"/ti/ioc/domain/chat.universitecentrale.net","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-06"},{"kind":"ipv4","value":"146.0.0.0","context":"IP address indicator from blog post","href":"/ti/ioc/ipv4/146.0.0.0","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-06"},{"kind":"sha1","value":"333e5b7c412736685b3c296a58663a7763744949","context":"SHA-1/commit-like hash from blog post","href":"/ti/ioc/sha1/333e5b7c412736685b3c296a58663a7763744949","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-06"},{"kind":"sha1","value":"4c385d4376314b24793b6b4e3526783f72383667","context":"SHA-1/commit-like hash from blog post","href":"/ti/ioc/sha1/4c385d4376314b24793b6b4e3526783f72383667","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-06"},{"kind":"sha1","value":"2a6e3839766d215e40785f6b277dc2a34d4e2f71","context":"SHA-1/commit-like hash from blog post","href":"/ti/ioc/sha1/2a6e3839766d215e40785f6b277dc2a34d4e2f71","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-06"},{"kind":"sha1","value":"442158353951337678587c236567276e767a3d39","context":"SHA-1/commit-like hash from blog post","href":"/ti/ioc/sha1/442158353951337678587c236567276e767a3d39","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-06"},{"kind":"sha1","value":"3f3922326c646a2d2f78703073224a3e4a366761","context":"SHA-1/commit-like hash from blog post","href":"/ti/ioc/sha1/3f3922326c646a2d2f78703073224a3e4a366761","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-06"},{"kind":"sha1","value":"3c335f732e6f5c3b48665745325c572b25724a60","context":"SHA-1/commit-like hash from blog post","href":"/ti/ioc/sha1/3c335f732e6f5c3b48665745325c572b25724a60","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-06"},{"kind":"sha1","value":"2968623b3a4c275d544149674522663559617b74","context":"SHA-1/commit-like hash from blog post","href":"/ti/ioc/sha1/2968623b3a4c275d544149674522663559617b74","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-06"},{"kind":"sha1","value":"5551307d753c3c5a59333c25525f2f446d2a213e","context":"SHA-1/commit-like hash from blog post","href":"/ti/ioc/sha1/5551307d753c3c5a59333c25525f2f446d2a213e","campaigns":[],"discovered_at":"2026-04-06"},{"kind":"sha1","value":"3d69675671616a6426515e7cc2a32e4ac2a32c33","context":"SHA-1/commit-like hash from blog post","href":"/ti/ioc/sha1/3d69675671616a6426515e7cc2a32e4ac2a32c33","campaigns":[],"discovered_at":"2026-04-06"},{"kind":"sha1","value":"c2a32a743329604e5633767d4e7e567a48246476","context":"SHA-1/commit-like hash from blog post","href":"/ti/ioc/sha1/c2a32a743329604e5633767d4e7e567a48246476","campaigns":[],"discovered_at":"2026-04-06"},{"kind":"domain","value":"admondtamang.com.np","context":"Network indicator from blog post","href":"/ti/ioc/domain/admondtamang.com.np","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-03"},{"kind":"domain","value":"gist.github.com","context":"Network indicator from blog post","href":"/ti/ioc/domain/gist.github.com","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-03"},{"kind":"domain","value":"gist.githubusercontent.com","context":"Network indicator from blog post","href":"/ti/ioc/domain/gist.githubusercontent.com","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-03"},{"kind":"sha256","value":"40aa5d412a50db79a814ac5ad65237745727cb4777843d66a760f64285a5a3e6","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/40aa5d412a50db79a814ac5ad65237745727cb4777843d66a760f64285a5a3e6","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-03"},{"kind":"sha1","value":"1c5d51c2002f452a4dd58a1a73a9dd90a7fe0297","context":"SHA-1/commit-like hash from blog post","href":"/ti/ioc/sha1/1c5d51c2002f452a4dd58a1a73a9dd90a7fe0297","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-03"},{"kind":"md5","value":"814132e794e5d007e9b8ebd223a9494f","context":"MD5 hash from blog post","href":"/ti/ioc/md5/814132e794e5d007e9b8ebd223a9494f","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-03"},{"kind":"md5","value":"0c0fc7a0c23cdb5e1c8f66b208053ed6","context":"MD5 hash from blog post","href":"/ti/ioc/md5/0c0fc7a0c23cdb5e1c8f66b208053ed6","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-03"},{"kind":"email","value":"admondtamang@gmail.com","context":"Email indicator from blog post","href":"/ti/ioc/email/admondtamang@gmail.com","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-03"},{"kind":"ipv4","value":"144.31.107.231","context":"IP address indicator from blog post","href":"/ti/ioc/ipv4/144.31.107.231","campaigns":["Strapi Plugin C2 Campaign"],"discovered_at":"2026-04-03"},{"kind":"email","value":"w1gtd@sharebot.net","context":"Email indicator from blog post","href":"/ti/ioc/email/w1gtd@sharebot.net","campaigns":["Strapi Plugin C2 Campaign"],"discovered_at":"2026-04-03"},{"kind":"domain","value":"jsonkeeper.com","context":"Network indicator from blog post","href":"/ti/ioc/domain/jsonkeeper.com","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-02"},{"kind":"domain","value":"216.126.237.71","context":"Network indicator from blog post","href":"/ti/ioc/domain/216.126.237.71","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-02"},{"kind":"ipv4","value":"216.126.237.71","context":"IP address indicator from blog post","href":"/ti/ioc/ipv4/216.126.237.71","campaigns":["No Specific Campaign","tanvisoul9 npm Backdoors"],"discovered_at":"2026-04-02"},{"kind":"ipv4","value":"216.126.229.166","context":"IP address indicator from blog post","href":"/ti/ioc/ipv4/216.126.229.166","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-02"},{"kind":"ipv4","value":"216.126.227.239","context":"IP address indicator from blog post","href":"/ti/ioc/ipv4/216.126.227.239","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-02"},{"kind":"sha256","value":"b5cca27ca1d792bd8c46b83fccfa4e5ba38916eb78877a19cbb39392ce98cc39","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/b5cca27ca1d792bd8c46b83fccfa4e5ba38916eb78877a19cbb39392ce98cc39","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-02"},{"kind":"md5","value":"a36adbc35e69b22acbf9f834a0deb286","context":"MD5 hash from blog post","href":"/ti/ioc/md5/a36adbc35e69b22acbf9f834a0deb286","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-02"},{"kind":"email","value":"tj@vision-media.ca","context":"Email indicator from blog post","href":"/ti/ioc/email/tj@vision-media.ca","campaigns":["No Specific Campaign"],"discovered_at":"2026-04-02"},{"kind":"domain","value":"sfrclak.com","context":"Network indicator from blog post","href":"/ti/ioc/domain/sfrclak.com","campaigns":["No Specific Campaign"],"discovered_at":"2026-03-31"},{"kind":"ipv4","value":"142.11.206.73","context":"IP address indicator from blog post","href":"/ti/ioc/ipv4/142.11.206.73","campaigns":["No Specific Campaign"],"discovered_at":"2026-03-31"},{"kind":"sha256","value":"5bb67e88846096f1f8d42a0f0350c9c46260591567612ff9af46f98d1b7571cd","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/5bb67e88846096f1f8d42a0f0350c9c46260591567612ff9af46f98d1b7571cd","campaigns":["No Specific Campaign"],"discovered_at":"2026-03-31"},{"kind":"sha256","value":"59336a964f110c25c112bcc5adca7090296b54ab33fa95c0744b94f8a0d80c0f","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/59336a964f110c25c112bcc5adca7090296b54ab33fa95c0744b94f8a0d80c0f","campaigns":["No Specific Campaign"],"discovered_at":"2026-03-31"},{"kind":"sha256","value":"fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf","campaigns":["No Specific Campaign"],"discovered_at":"2026-03-31"},{"kind":"sha256","value":"e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09","campaigns":["No Specific Campaign"],"discovered_at":"2026-03-31"},{"kind":"email","value":"npm-oidc-no-reply@github.com","context":"Email indicator from blog post","href":"/ti/ioc/email/npm-oidc-no-reply@github.com","campaigns":["No Specific Campaign"],"discovered_at":"2026-03-31"},{"kind":"email","value":"ifstap@proton.me","context":"Email indicator from blog post","href":"/ti/ioc/email/ifstap@proton.me","campaigns":["No Specific Campaign"],"discovered_at":"2026-03-31"},{"kind":"email","value":"jasonsaayman@gmail.com","context":"Email indicator from blog post","href":"/ti/ioc/email/jasonsaayman@gmail.com","campaigns":["No Specific Campaign"],"discovered_at":"2026-03-31"},{"kind":"email","value":"nrwise@proton.me","context":"Email indicator from blog post","href":"/ti/ioc/email/nrwise@proton.me","campaigns":["No Specific Campaign"],"discovered_at":"2026-03-31"},{"kind":"domain","value":"83.142.209.203","context":"Network indicator from blog post","href":"/ti/ioc/domain/83.142.209.203","campaigns":["TeamPCP"],"discovered_at":"2026-03-27"},{"kind":"ipv4","value":"83.142.209.203","context":"IP address indicator from blog post","href":"/ti/ioc/ipv4/83.142.209.203","campaigns":["TeamPCP"],"discovered_at":"2026-03-27"},{"kind":"sha256","value":"7321caa303fe96ded0492c747d2f353c4f7d17185656fe292ab0a59e2bd0b8d9","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/7321caa303fe96ded0492c747d2f353c4f7d17185656fe292ab0a59e2bd0b8d9","campaigns":["TeamPCP"],"discovered_at":"2026-03-27"},{"kind":"sha256","value":"cd08115806662469bbedec4b03f8427b97c8a4b3bc1442dc18b72b4e19395fe3","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/cd08115806662469bbedec4b03f8427b97c8a4b3bc1442dc18b72b4e19395fe3","campaigns":["TeamPCP"],"discovered_at":"2026-03-27"},{"kind":"email","value":"support@telnyx.com","context":"Email indicator from blog post","href":"/ti/ioc/email/support@telnyx.com","campaigns":["TeamPCP"],"discovered_at":"2026-03-27"},{"kind":"domain","value":"models.litellm.cloud","context":"Network indicator from blog post","href":"/ti/ioc/domain/models.litellm.cloud","campaigns":["TeamPCP"],"discovered_at":"2026-03-24"},{"kind":"domain","value":"checkmarx.zone","context":"Network indicator from blog post","href":"/ti/ioc/domain/checkmarx.zone","campaigns":["TeamPCP"],"discovered_at":"2026-03-24"},{"kind":"sha256","value":"d2a0d5f564628773b6af7b9c11f6b86531a875bd2d186d7081ab62748a800ebb","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/d2a0d5f564628773b6af7b9c11f6b86531a875bd2d186d7081ab62748a800ebb","campaigns":["TeamPCP"],"discovered_at":"2026-03-24"},{"kind":"sha1","value":"9343aeefca37aa49a6ea54397d7615adae5c72c9","context":"SHA-1/commit-like hash from blog post","href":"/ti/ioc/sha1/9343aeefca37aa49a6ea54397d7615adae5c72c9","campaigns":["TeamPCP"],"discovered_at":"2026-03-24"},{"kind":"domain","value":"malicanbur.pro","context":"Network indicator from blog post","href":"/ti/ioc/domain/malicanbur.pro","campaigns":["No Specific Campaign"],"discovered_at":"2026-03-16"},{"kind":"ipv4","value":"31.220.48.155","context":"IP address indicator from blog post","href":"/ti/ioc/ipv4/31.220.48.155","campaigns":["No Specific Campaign"],"discovered_at":"2026-03-16"},{"kind":"ipv4","value":"173.211.46.22","context":"IP address indicator from blog post","href":"/ti/ioc/ipv4/173.211.46.22","campaigns":["No Specific Campaign"],"discovered_at":"2026-03-16"},{"kind":"sha256","value":"0be2375362227f846c56c4de2db4d3113e197f0c605c297a7e0e0c154e94464e","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/0be2375362227f846c56c4de2db4d3113e197f0c605c297a7e0e0c154e94464e","campaigns":["No Specific Campaign"],"discovered_at":"2026-03-16"},{"kind":"sha256","value":"5196c3a832897e30c26da768379750bd3c886890e74d0f28a8921bbd19b553fc","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/5196c3a832897e30c26da768379750bd3c886890e74d0f28a8921bbd19b553fc","campaigns":["No Specific Campaign"],"discovered_at":"2026-03-16"},{"kind":"email","value":"jaimeandujo086@gmail.com","context":"Email indicator from blog post","href":"/ti/ioc/email/jaimeandujo086@gmail.com","campaigns":["No Specific Campaign"],"discovered_at":"2026-03-16"},{"kind":"domain","value":"discord.com","context":"Network indicator from blog post","href":"/ti/ioc/domain/discord.com","campaigns":["No Specific Campaign","fucktestpad npm Malware"],"discovered_at":"2026-03-06"},{"kind":"sha256","value":"3733f0add545e5537a7d3171a132df51e0b4105aebe85db35dbe868a056d3d24","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/3733f0add545e5537a7d3171a132df51e0b4105aebe85db35dbe868a056d3d24","campaigns":["No Specific Campaign"],"discovered_at":"2026-03-06"},{"kind":"sha256","value":"62ee164b9b306250c1172583f138c9614139264f889fa99614903c12755468d0","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/62ee164b9b306250c1172583f138c9614139264f889fa99614903c12755468d0","campaigns":["Shai-Hulud"],"discovered_at":"2025-11-24"},{"kind":"sha256","value":"a3894003ad1d293ba96d77881ccd2071446dc3f65f434669b49b3da92421901a","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/a3894003ad1d293ba96d77881ccd2071446dc3f65f434669b49b3da92421901a","campaigns":["Shai-Hulud"],"discovered_at":"2025-11-24"},{"kind":"email","value":"jaddyday2@gmail.com","context":"Email indicator from blog post","href":"/ti/ioc/email/jaddyday2@gmail.com","campaigns":["Enterprise Dependency Confusion"],"discovered_at":"2025-10-23"},{"kind":"domain","value":"webhook.site","context":"Network indicator from blog post","href":"/ti/ioc/domain/webhook.site","campaigns":["Shai-Hulud","No Specific Campaign"],"discovered_at":"2025-09-16"},{"kind":"sha256","value":"bc18414929992e8e8d2211f9c51ebc7241294a1af3cfdbdd5ca417974b2dac0b","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/bc18414929992e8e8d2211f9c51ebc7241294a1af3cfdbdd5ca417974b2dac0b","campaigns":["Shai-Hulud"],"discovered_at":"2025-09-16"},{"kind":"sha256","value":"46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/46faab8ab153fae6e80e7cca38eab363075bb524edd79e42269217a083628f09","campaigns":["Shai-Hulud"],"discovered_at":"2025-09-16"},{"kind":"email","value":"scttcper@gmail.com","context":"Email indicator from blog post","href":"/ti/ioc/email/scttcper@gmail.com","campaigns":["Shai-Hulud"],"discovered_at":"2025-09-16"},{"kind":"email","value":"github_token@github.com","context":"Email indicator from blog post","href":"/ti/ioc/email/github_token@github.com","campaigns":["Shai-Hulud"],"discovered_at":"2025-09-16"},{"kind":"sha1","value":"fc4a4858bafef54d1b1d7697bfb5c52f4c166976","context":"SHA-1/commit-like hash from blog post","href":"/ti/ioc/sha1/fc4a4858bafef54d1b1d7697bfb5c52f4c166976","campaigns":["qix npm Account Compromise"],"discovered_at":"2025-09-08"},{"kind":"md5","value":"19111111111111111111111111111111","context":"MD5 hash from blog post","href":"/ti/ioc/md5/19111111111111111111111111111111","campaigns":["qix npm Account Compromise"],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x66a9893cC07D91D95644AEDD05D03f95e1dBA8Af","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x66a9893cC07D91D95644AEDD05D03f95e1dBA8Af","campaigns":["qix npm Account Compromise"],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x10ed43c718714eb63d5aa57b78b54704e256024e","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x10ed43c718714eb63d5aa57b78b54704e256024e","campaigns":["qix npm Account Compromise"],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x13f4ea83d0bd40e75c8222255bc855a974568dd4","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x13f4ea83d0bd40e75c8222255bc855a974568dd4","campaigns":["qix npm Account Compromise"],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x1111111254eeb25477b68fb85ed929f73a960582","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x1111111254eeb25477b68fb85ed929f73a960582","campaigns":["qix npm Account Compromise"],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0xd9e1ce17f2641f24ae83637ab66a2cca9c378b9f","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0xd9e1ce17f2641f24ae83637ab66a2cca9c378b9f","campaigns":["qix npm Account Compromise"],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0xfc4a4858bafef54d1b1d7697bfb5c52f4c166976","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0xfc4a4858bafef54d1b1d7697bfb5c52f4c166976","campaigns":["qix npm Account Compromise"],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x66a9893cc07d91d95644aedd05d03f95e1dba8af","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x66a9893cc07d91d95644aedd05d03f95e1dba8af","campaigns":["qix npm Account Compromise"],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976","campaigns":["qix npm Account Compromise"],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0xa29eeFb3f21Dc8FA8bce065Db4f4354AA683c024","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0xa29eeFb3f21Dc8FA8bce065Db4f4354AA683c024","campaigns":["qix npm Account Compromise"],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x40C351B989113646bc4e9Dfe66AE66D24fE6Da7B","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x40C351B989113646bc4e9Dfe66AE66D24fE6Da7B","campaigns":["qix npm Account Compromise"],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x30F895a2C66030795131FB66CBaD6a1f91461731","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x30F895a2C66030795131FB66CBaD6a1f91461731","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x57394449fE8Ee266Ead880D5588E43501cb84cC7","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x57394449fE8Ee266Ead880D5588E43501cb84cC7","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0xCd422cCC9f6e8f30FfD6F68C0710D3a7F24a026A","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0xCd422cCC9f6e8f30FfD6F68C0710D3a7F24a026A","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x7C502F253124A88Bbb6a0Ad79D9BeD279d86E8f4","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x7C502F253124A88Bbb6a0Ad79D9BeD279d86E8f4","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0xe86749d6728d8b02c1eaF12383c686A8544de26A","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0xe86749d6728d8b02c1eaF12383c686A8544de26A","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0xa4134741a64F882c751110D3E207C51d38f6c756","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0xa4134741a64F882c751110D3E207C51d38f6c756","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0xD4A340CeBe238F148034Bbc14478af59b1323d67","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0xD4A340CeBe238F148034Bbc14478af59b1323d67","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0xB00A433e1A5Fc40D825676e713E5E351416e6C26","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0xB00A433e1A5Fc40D825676e713E5E351416e6C26","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0xd9Df4e4659B1321259182191B683acc86c577b0f","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0xd9Df4e4659B1321259182191B683acc86c577b0f","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x0a765FA154202E2105D7e37946caBB7C2475c76a","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x0a765FA154202E2105D7e37946caBB7C2475c76a","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0xE291a6A58259f660E8965C2f0938097030Bf1767","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0xE291a6A58259f660E8965C2f0938097030Bf1767","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0xe46e68f7856B26af1F9Ba941Bc9cd06F295eb06D","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0xe46e68f7856B26af1F9Ba941Bc9cd06F295eb06D","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0xa7eec0c4911ff75AEd179c81258a348c40a36e53","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0xa7eec0c4911ff75AEd179c81258a348c40a36e53","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x3c6762469ea04c9586907F155A35f648572A0C3E","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x3c6762469ea04c9586907F155A35f648572A0C3E","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x322FE72E1Eb64F6d16E6FCd3d45a376efD4bC6b2","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x322FE72E1Eb64F6d16E6FCd3d45a376efD4bC6b2","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x51Bb31a441531d34210a4B35114D8EF3E57aB727","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x51Bb31a441531d34210a4B35114D8EF3E57aB727","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x314d5070DB6940C8dedf1da4c03501a3AcEE21E1","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x314d5070DB6940C8dedf1da4c03501a3AcEE21E1","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x75023D76D6cBf88ACeAA83447C466A9bBB0c5966","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x75023D76D6cBf88ACeAA83447C466A9bBB0c5966","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x1914F36c62b381856D1F9Dc524f1B167e0798e5E","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x1914F36c62b381856D1F9Dc524f1B167e0798e5E","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0xB9e9cfd931647192036197881A9082cD2D83589C","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0xB9e9cfd931647192036197881A9082cD2D83589C","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0xE88ae1ae3947B6646e2c0b181da75CE3601287A4","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0xE88ae1ae3947B6646e2c0b181da75CE3601287A4","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x0D83F2770B5bDC0ccd9F09728B3eBF195cf890e2","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x0D83F2770B5bDC0ccd9F09728B3eBF195cf890e2","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0xe2D5C35bf44881E37d7183DA2143Ee5A84Cd4c68","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0xe2D5C35bf44881E37d7183DA2143Ee5A84Cd4c68","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0xd21E6Dd2Ef006FFAe9Be8d8b0cdf7a667B30806d","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0xd21E6Dd2Ef006FFAe9Be8d8b0cdf7a667B30806d","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x93Ff376B931B92aF91241aAf257d708B62D62F4C","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x93Ff376B931B92aF91241aAf257d708B62D62F4C","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x5C068df7139aD2Dedb840ceC95C384F25b443275","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x5C068df7139aD2Dedb840ceC95C384F25b443275","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x70D24a9989D17a537C36f2FB6d8198CC26c1c277","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x70D24a9989D17a537C36f2FB6d8198CC26c1c277","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x0ae487200606DEfdbCEF1A50C003604a36C68E64","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x0ae487200606DEfdbCEF1A50C003604a36C68E64","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0xc5588A6DEC3889AAD85b9673621a71fFcf7E6B56","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0xc5588A6DEC3889AAD85b9673621a71fFcf7E6B56","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x3c23bA2Db94E6aE11DBf9cD2DA5297A09d7EC673","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x3c23bA2Db94E6aE11DBf9cD2DA5297A09d7EC673","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x5B5cA7d3089D3B3C6393C0B79cDF371Ec93a3fd3","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x5B5cA7d3089D3B3C6393C0B79cDF371Ec93a3fd3","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x4Cb4c0E7057829c378Eb7A9b174B004873b9D769","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x4Cb4c0E7057829c378Eb7A9b174B004873b9D769","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0xd299f05D1504D0B98B1D6D3c282412FD4Df96109","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0xd299f05D1504D0B98B1D6D3c282412FD4Df96109","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x241689F750fCE4A974C953adBECe0673Dc4956E0","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x241689F750fCE4A974C953adBECe0673Dc4956E0","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0xBc5f75053Ae3a8F2B9CF9495845038554dDFb261","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0xBc5f75053Ae3a8F2B9CF9495845038554dDFb261","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x5651dbb7838146fCF5135A65005946625A2685c8","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x5651dbb7838146fCF5135A65005946625A2685c8","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x5c9D146b48f664f2bB4796f2Bb0279a6438C38b1","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x5c9D146b48f664f2bB4796f2Bb0279a6438C38b1","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0xd2Bf42514d35952Abf2082aAA0ddBBEf65a00BA3","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0xd2Bf42514d35952Abf2082aAA0ddBBEf65a00BA3","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0xbB1EC85a7d0aa6Cd5ad7E7832F0b4c8659c44cc9","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0xbB1EC85a7d0aa6Cd5ad7E7832F0b4c8659c44cc9","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x013285c02ab81246F1D68699613447CE4B2B4ACC","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x013285c02ab81246F1D68699613447CE4B2B4ACC","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x97A00E100BA7bA0a006B2A9A40f6A0d80869Ac9e","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x97A00E100BA7bA0a006B2A9A40f6A0d80869Ac9e","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x4Bf0C0630A562eE973CE964a7d215D98ea115693","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x4Bf0C0630A562eE973CE964a7d215D98ea115693","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x805aa8adb8440aEA21fDc8f2348f8Db99ea86Efb","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x805aa8adb8440aEA21fDc8f2348f8Db99ea86Efb","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0xae9935793835D5fCF8660e0D45bA35648e3CD463","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0xae9935793835D5fCF8660e0D45bA35648e3CD463","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0xB051C0b7dCc22ab6289Adf7a2DcEaA7c35eB3027","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0xB051C0b7dCc22ab6289Adf7a2DcEaA7c35eB3027","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0xf7a82C48Edf9db4FBe6f10953d4D889A5bA6780D","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0xf7a82C48Edf9db4FBe6f10953d4D889A5bA6780D","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x06de68F310a86B10746a4e35cD50a7B7C8663b8d","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x06de68F310a86B10746a4e35cD50a7B7C8663b8d","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x51f3C0fCacF7d042605ABBE0ad61D6fabC4E1F54","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x51f3C0fCacF7d042605ABBE0ad61D6fabC4E1F54","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x49BCc441AEA6Cd7bC5989685C917DC9fb58289Cf","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x49BCc441AEA6Cd7bC5989685C917DC9fb58289Cf","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x7fD999f778c1867eDa9A4026fE7D4BbB33A45272","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x7fD999f778c1867eDa9A4026fE7D4BbB33A45272","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0xe8749d2347472AD1547E1c6436F267F0EdD725Cb","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0xe8749d2347472AD1547E1c6436F267F0EdD725Cb","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x2B471975ac4E4e29D110e43EBf9fBBc4aEBc8221","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x2B471975ac4E4e29D110e43EBf9fBBc4aEBc8221","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x02004fE6c250F008981d8Fc8F9C408cEfD679Ec3","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x02004fE6c250F008981d8Fc8F9C408cEfD679Ec3","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0xC4A51031A7d17bB6D02D52127D2774A942987D39","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0xC4A51031A7d17bB6D02D52127D2774A942987D39","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0xa1b94fC12c0153D3fb5d60ED500AcEC430259751","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0xa1b94fC12c0153D3fb5d60ED500AcEC430259751","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0xdedda1A02D79c3ba5fDf28C161382b1A7bA05223","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0xdedda1A02D79c3ba5fDf28C161382b1A7bA05223","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0xE55f51991C8D01Fb5a99B508CC39B8a04dcF9D04","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0xE55f51991C8D01Fb5a99B508CC39B8a04dcF9D04","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0x7a250d5630b4cf539739df2c5dacb4c659f2488d","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0x7a250d5630b4cf539739df2c5dacb4c659f2488d","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"wallet","value":"0xe592427a0aece92de3edee1f18e0157c05861564","context":"Cryptocurrency wallet address from blog post","href":"/ti/ioc/wallet/0xe592427a0aece92de3edee1f18e0157c05861564","campaigns":[],"discovered_at":"2025-09-08"},{"kind":"sha256","value":"863d274bbeb22ab969f742a06d89bdf0ababb99fdeb074a0fd9057f28b1ef257","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/863d274bbeb22ab969f742a06d89bdf0ababb99fdeb074a0fd9057f28b1ef257","campaigns":["No Specific Campaign"],"discovered_at":"2025-08-12"},{"kind":"sha1","value":"9066ceeb391d9c7ba6aba650109c2fa3f8e088eb","context":"SHA-1/commit-like hash from blog post","href":"/ti/ioc/sha1/9066ceeb391d9c7ba6aba650109c2fa3f8e088eb","campaigns":["No Specific Campaign"],"discovered_at":"2025-08-12"},{"kind":"email","value":"graphite7199@gmail.com","context":"Email indicator from blog post","href":"/ti/ioc/email/graphite7199@gmail.com","campaigns":["No Specific Campaign"],"discovered_at":"2025-08-12"},{"kind":"email","value":"graphitediscord199@gmail.com","context":"Email indicator from blog post","href":"/ti/ioc/email/graphitediscord199@gmail.com","campaigns":["No Specific Campaign"],"discovered_at":"2025-08-12"},{"kind":"sha256","value":"31204fbbc097677d518e1c01d88cf24b491ef29cc8f56d1ef2b81e5ccc8440e2","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/31204fbbc097677d518e1c01d88cf24b491ef29cc8f56d1ef2b81e5ccc8440e2","campaigns":["eslint-config-prettier Compromise"],"discovered_at":"2025-07-21"},{"kind":"sha256","value":"c68e42f416f482d43653f36cd14384270b54b68d6496a8e34ce887687de5b441","context":"SHA-256 hash from blog post","href":"/ti/ioc/sha256/c68e42f416f482d43653f36cd14384270b54b68d6496a8e34ce887687de5b441","campaigns":["eslint-config-prettier Compromise"],"discovered_at":"2025-07-21"},{"kind":"ipv4","value":"206.214.129.67","context":"IP address indicator from blog post","href":"/ti/ioc/ipv4/206.214.129.67","campaigns":["No Specific Campaign"],"discovered_at":"2025-04-23"},{"kind":"ipv4","value":"8.152.163.60","context":"IP address indicator from blog post","href":"/ti/ioc/ipv4/8.152.163.60","campaigns":["No Specific Campaign"],"discovered_at":"2025-04-21"},{"kind":"ipv4","value":"13.60.183.44","context":"IP address indicator from blog post","href":"/ti/ioc/ipv4/13.60.183.44","campaigns":["No Specific Campaign"],"discovered_at":"2024-12-11"},{"kind":"ipv4","value":"13.60.0.0","context":"IP address indicator from blog post","href":"/ti/ioc/ipv4/13.60.0.0","campaigns":["No Specific Campaign"],"discovered_at":"2024-12-11"},{"kind":"ipv4","value":"13.63.255.255","context":"IP address indicator from blog post","href":"/ti/ioc/ipv4/13.63.255.255","campaigns":["No Specific Campaign"],"discovered_at":"2024-12-11"},{"kind":"email","value":"josh.weavery@gmail.com","context":"Email indicator from blog post","href":"/ti/ioc/email/josh.weavery@gmail.com","campaigns":["No Specific Campaign"],"discovered_at":"2024-11-04"}]