malware npm
dom-utils-lite
discovered 2026-04-14dom-utils-lite is identified in the SafeDep analysis "Malicious dom-utils-lite npm SSH Backdoor via Supabase". dom-utils-lite and centralogger on npm inject attacker SSH keys into ~/.ssh/authorized_keys and exfiltrate server metadata to Supabase-hosted C2 infrastructure, granting persistent remote access.
Threat types
persistence data_exfiltration c2_agent
Malicious versions
- 1.0.0
Campaigns
Indicators
- domain xienztiavkygvacpqzgr.supabase.cocommunicates-with
- domain ndfcioahsbgsjmulpjgt.supabase.cocommunicates-with
- sha256 4600db4fc30fb6ffa68deed4a25679e674bb3a3e8dae31f3dfc83bea0d757a8findicates
- sha256 2e131f47090516e5a60553aa40d46823e08162390c1d6deb075cf317f00309f7indicates
- email tanvisoul9@gmail.comexfiltrates-to
Techniques
- ttp T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
- ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttp T1041 Exfiltration Over C2 Channeluses
- ttp T1552.004 Unsecured Credentials: Private Keysuses
- ttp T1105 Ingress Tool Transferuses
- ttp T1071.001 Application Layer Protocol: Web Protocolsuses
- ttp T1102 Web Serviceuses
- ttp T1546 Event Triggered Executionuses
