malware npm

centralogger

discovered 2026-04-14

centralogger is identified in the SafeDep analysis "Malicious dom-utils-lite npm SSH Backdoor via Supabase". dom-utils-lite and centralogger on npm inject attacker SSH keys into ~/.ssh/authorized_keys and exfiltrate server metadata to Supabase-hosted C2 infrastructure, granting persistent remote access.

more…

Threat types

persistence data_exfiltration c2_agent

Malicious versions

1.0.5
1.0.6
1.0.7
1.0.8
1.0.9

Campaigns

tanvisoul9 npm Backdoorsattributed-to

Indicators

domain xienztiavkygvacpqzgr.supabase.cocommunicates-with
domain ndfcioahsbgsjmulpjgt.supabase.cocommunicates-with
sha256 4600db4fc30fb6ffa68deed4a25679e674bb3a3e8dae31f3dfc83bea0d757a8findicates
sha256 2e131f47090516e5a60553aa40d46823e08162390c1d6deb075cf317f00309f7indicates
email tanvisoul9@gmail.comexfiltrates-to

Techniques

ttp T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
ttp T1041 Exfiltration Over C2 Channeluses
ttp T1552.004 Unsecured Credentials: Private Keysuses
ttp T1105 Ingress Tool Transferuses
ttp T1071.001 Application Layer Protocol: Web Protocolsuses
ttp T1102 Web Serviceuses
ttp T1546 Event Triggered Executionuses

Read the full analysis →