T1041
Exfiltration Over C2 Channel
discovered 2025-08-12Stolen credentials and host data exfiltrated to a Tor hidden-service C2 (/api/agent), with temp.sh as a Tor-tunneled fallback.
View on MITRE ATT&CKSeen in packages
- pypi bitensoruses
- pypi bittenso-cliuses
- pypi qbittensoruses
- pypi bittensouses
- npm nxuses
- npm @nx/jsuses
- npm ansi-stylesuses
- npm debuguses
- npm chalkuses
- npm supports-coloruses
- npm strip-ansiuses
- npm ansi-regexuses
- npm wrap-ansiuses
- npm color-convertuses
- npm color-nameuses
- npm is-arrayishuses
- npm slice-ansiuses
- npm error-exuses
- npm color-stringuses
- npm simple-swizzleuses
- npm supports-hyperlinksuses
- npm has-ansiuses
- npm chalk-templateuses
- npm backslashuses
- npm @ctrl/tinycoloruses
- npm @zapier/zapier-sdkuses
- npm @asyncapi/specsuses
- npm @quick-start-soft/quick-markdown-printuses
- npm @quick-start-soft/quick-markdownuses
- npm @quick-start-soft/quick-remove-image-backgrounduses
- npm @quick-start-soft/quick-git-clean-markdownuses
- npm @quick-start-soft/quick-document-translatoruses
- npm @quick-start-soft/quick-markdown-imageuses
- npm @quick-start-soft/quick-task-refineuses
- npm @asyncapi/modelinauses
- npm posthog-react-nativeuses
- npm posthog-nodeuses
- npm @postman/secret-scanner-wasmuses
- npm @postman/csv-parseuses
- npm @postman/node-keytaruses
- npm @postman/tunnel-agentuses
- npm @postman/wdio-allure-reporteruses
- npm @postman/postman-mcp-cliuses
- npm @postman/mcp-ui-clientuses
- npm @postman/wdio-junit-reporteruses
- npm @postman/pm-bin-macos-arm64uses
- npm @postman/pm-bin-linux-x64uses
- npm @postman/aether-iconsuses
- npm @Schedaero/shareduses
- npm pino-sdk-v2uses
- npm react-refresh-updateuses
- pypi litellmuses
- npm oc-aa-module-clientuses
- npm @wame/ngx-adfsuses
- npm @the-coca-cola-company/ngps-global-common-utilsuses
- npm cr-static-shared-componentsuses
- npm @ceeferenderer/fe-renderer-sdkuses
- pypi telnyxuses
- npm express-session-jsuses
- npm mgcuses
- pypi hermes-pxuses
- npm @fairwords/websocketuses
- npm @fairwords/loopback-connector-esuses
- npm @fairwords/encryptionuses
- npm @velora-dex/sdkuses
- npm sjs-bigintegeruses
- npm sjs-lint-build1uses
- npm bjs-bigintegeruses
- npm bjs-lint-builderuses
- npm bjs-lint-buildersuses
- npm cjs-bigintegeruses
- npm ts-lint-buildsuses
- npm dom-utils-liteuses
- npm centraloggeruses
- npm forge-jsxuses
- npm @johntaohunter/forge-jsxuses
- npm js-logger-packuses
- npm ixpresso-coreuses
- npm godsplanuses
- npm eyevoxuses
- npm @cap-js/sqliteuses
- npm @cap-js/postgresuses
- npm @cap-js/db-serviceuses
- npm mbtuses
- npm npm-global-utiluses
- npm redeem-onchain-sdkuses
- pypi pytorch-lightninguses
- npm exioussuses
- npm common-tg-serviceuses
- npm node-env-resolveuses
- npm noon-contractsuses
- npm @tanstack/arktype-adapteruses
- npm @tanstack/eslint-plugin-routeruses
- npm @tanstack/eslint-plugin-startuses
- npm @tanstack/historyuses
- npm @tanstack/nitro-v2-vite-pluginuses
- npm @tanstack/react-routeruses
- npm @tanstack/react-router-devtoolsuses
- npm @tanstack/react-router-ssr-queryuses
- npm @tanstack/react-startuses
- npm @tanstack/react-start-clientuses
- npm @tanstack/react-start-rscuses
- npm @tanstack/react-start-serveruses
- npm @tanstack/router-cliuses
- npm @tanstack/router-coreuses
- npm @tanstack/router-devtoolsuses
- npm @tanstack/router-devtools-coreuses
- npm @tanstack/router-generatoruses
- npm @tanstack/router-pluginuses
- npm @tanstack/router-ssr-query-coreuses
- npm @tanstack/router-utilsuses
- npm @tanstack/router-vite-pluginuses
- npm @tanstack/solid-routeruses
- npm @tanstack/solid-router-devtoolsuses
- npm @tanstack/solid-router-ssr-queryuses
- npm @tanstack/solid-startuses
- npm @tanstack/solid-start-clientuses
- npm @tanstack/solid-start-serveruses
- npm @tanstack/start-client-coreuses
- npm @tanstack/start-fn-stubsuses
- npm @tanstack/start-plugin-coreuses
- npm @tanstack/start-server-coreuses
- npm @tanstack/start-static-server-functionsuses
- npm @tanstack/start-storage-contextuses
- npm @tanstack/valibot-adapteruses
- npm @tanstack/virtual-file-routesuses
- npm @tanstack/vue-routeruses
- npm @tanstack/vue-router-devtoolsuses
- npm @tanstack/vue-router-ssr-queryuses
- npm @tanstack/vue-startuses
- npm @tanstack/vue-start-clientuses
- npm @tanstack/vue-start-serveruses
- npm @tanstack/zod-adapteruses
- npm node-ipcuses
- npm @antv/a8uses
- npm @antv/adjustuses
- npm @antv/algorithmuses
- npm @antv/async-hookuses
- npm @antv/attruses
- npm @antv/avauses
- npm @antv/ava-reactuses
- npm @antv/awardsuses
- npm @antv/calendar-heatmapuses
- npm @antv/chart-linteruses
- npm @antv/chart-node-g6uses
- npm @antv/chart-visualization-skillsuses
- npm @antv/ckbuses
- npm @antv/color-schemauses
- npm @antv/color-utiluses
- npm @antv/componentuses
- npm @antv/coorduses
- npm @antv/d3-coloruses
- npm @antv/d3-interpolateuses
- npm @antv/data-samplesuses
- npm @antv/data-setuses
- npm @antv/data-wizarduses
- npm @antv/dipper-componentuses
- npm @antv/dipper-hooksuses
- npm @antv/dipper-mapuses
- npm @antv/dom-utiluses
- npm @antv/dumi-theme-antvuses
- npm @antv/dw-analyzeruses
- npm @antv/dw-randomuses
- npm @antv/dw-transformuses
- npm @antv/dw-utiluses
- npm @antv/event-emitteruses
- npm @antv/expruses
- npm @antv/f2uses
- npm @antv/f2-algorithmuses
- npm @antv/f2-canvasuses
- npm @antv/f2-contextuses
- npm @antv/f2-graphicuses
- npm @antv/f2-myuses
- npm @antv/f2-reactuses
- npm @antv/f2-siteuses
- npm @antv/f2-vueuses
- npm @antv/f2-wordclouduses
- npm @antv/f2-wxuses
- npm @antv/f6uses
- npm @antv/f6-alipayuses
- npm @antv/f6-coreuses
- npm @antv/f6-elementuses
- npm @antv/f6-hammerjsuses
- npm @antv/f6-pluginuses
- npm @antv/f6-uiuses
- npm @antv/f6-wxuses
- npm @antv/f-chartsuses
- npm @antv/f-engineuses
- npm @antv/f-lottieuses
- npm @antv/f-myuses
- npm @antv/f-reactuses
- npm @antv/f-test-utilsuses
- npm @antv/f-vueuses
- npm @antv/f-wxuses
- npm @antv/g2uses
- npm @antv/g2-brushuses
- npm @antv/g2-extension-3duses
- npm @antv/g2-extension-avauses
- npm @antv/g2-extension-plotuses
- npm @antv/g2plotuses
- npm @antv/g2plot-schemasuses
- npm @antv/g2-plugin-slideruses
- npm @antv/g2-ssruses
- npm @antv/guses
- npm @antv/g6uses
- npm @antv/g6-alipayuses
- npm @antv/g6-cliuses
- npm @antv/g6-coreuses
- npm @antv/g6-editoruses
- npm @antv/g6-elementuses
- npm @antv/g6-extension-3duses
- npm @antv/g6-extension-reactuses
- npm @antv/g6-mobileuses
- npm @antv/g6-pcuses
- npm @antv/g6-pluginuses
- npm @antv/g6-plugin-map-viewuses
- npm @antv/g6-pluginsuses
- npm @antv/g6-react-nodeuses
- npm @antv/g6-ssruses
- npm @antv/g6-wxuses
- npm @antv/gatsby-themeuses
- npm @antv/g-baseuses
- npm @antv/g-camera-apiuses
- npm @antv/g-canvasuses
- npm @antv/g-canvaskituses
- npm @antv/g-compatuses
- npm @antv/g-componentsuses
- npm @antv/g-css-layout-apiuses
- npm @antv/g-css-typed-om-apiuses
- npm @antv/g-device-apiuses
- npm @antv/g-dom-mutation-observer-apiuses
- npm @antv/geo-coorduses
- npm @antv/g-gestureuses
- npm @antv/gi-assets-advanceuses
- npm @antv/gi-assets-algorithmuses
- npm @antv/gi-assets-basicuses
- npm @antv/gi-assets-galaxybaseuses
- npm @antv/gi-assets-graphscopeuses
- npm @antv/gi-assets-hugegraphuses
- npm @antv/gi-assets-janusgraphuses
- npm @antv/gi-assets-neo4juses
- npm @antv/gi-assets-sceneuses
- npm @antv/gi-assets-tugraphuses
- npm @antv/gi-assets-tugraph-analyticsuses
- npm @antv/gi-assets-xlabuses
- npm @antv/gi-cliuses
- npm @antv/gi-common-componentsuses
- npm @antv/g-image-exporteruses
- npm @antv/gi-mock-datauses
- npm @antv/gi-public-datauses
- npm @antv/gi-sdkuses
- npm @antv/gi-sdk-appuses
- npm @antv/gi-theme-antduses
- npm @antv/github-config-cliuses
- npm @antv/g-layout-blocklikeuses
- npm @antv/g-liteuses
- npm @antv/gl-matrixuses
- npm @antv/g-lottie-playeruses
- npm @antv/g-mathuses
- npm @antv/g-mobileuses
- npm @antv/g-mobile-canvasuses
- npm @antv/g-mobile-canvas-elementuses
- npm @antv/g-mobile-svguses
- npm @antv/g-mobile-webgluses
- npm @antv/g-patternuses
- npm @antv/g-perfuses
- npm @antv/g-plugin-3duses
- npm @antv/g-plugin-a11yuses
- npm @antv/g-plugin-annotationuses
- npm @antv/g-plugin-box2duses
- npm @antv/g-plugin-canvaskit-rendereruses
- npm @antv/g-plugin-canvas-path-generatoruses
- npm @antv/g-plugin-canvas-pickeruses
- npm @antv/g-plugin-canvas-rendereruses
- npm @antv/g-plugin-controluses
- npm @antv/g-plugin-css-selectuses
- npm @antv/g-plugin-device-rendereruses
- npm @antv/g-plugin-dom-interactionuses
- npm @antv/g-plugin-dragndropuses
- npm @antv/g-plugin-gestureuses
- npm @antv/g-plugin-gpgpuuses
- npm @antv/g-plugin-html-rendereruses
- npm @antv/g-plugin-image-loaderuses
- npm @antv/g-plugin-matterjsuses
- npm @antv/g-plugin-mobile-interactionuses
- npm @antv/g-plugin-physxuses
- npm @antv/g-plugin-rough-canvas-rendereruses
- npm @antv/g-plugin-rough-svg-rendereruses
- npm @antv/g-plugin-svg-pickeruses
- npm @antv/g-plugin-svg-rendereruses
- npm @antv/g-plugin-webgl-deviceuses
- npm @antv/g-plugin-webgl-rendereruses
- npm @antv/g-plugin-webgpu-deviceuses
- npm @antv/g-plugin-yogauses
- npm @antv/g-plugin-zdog-canvas-rendereruses
- npm @antv/g-plugin-zdog-svg-rendereruses
- npm @antv/gpt-visuses
- npm @antv/gpt-vis-ssruses
- npm @antv/graphinuses
- npm @antv/graphin-componentsuses
- npm @antv/graphin-graphscopeuses
- npm @antv/graphin-iconsuses
- npm @antv/graphlibuses
- npm @antv/g-shader-componentsuses
- npm @antv/g-svguses
- npm @antv/g-web-animations-apiuses
- npm @antv/g-web-componentsuses
- npm @antv/g-webgluses
- npm @antv/g-webgl-computeuses
- npm @antv/g-webgpuuses
- npm @antv/g-webgpu-compileruses
- npm @antv/g-webgpu-coreuses
- npm @antv/g-webgpu-engineuses
- npm @antv/g-webgpu-raytraceruses
- npm @antv/g-webgpu-unitchartuses
- npm @antv/hierarchyuses
- npm @antv/infographicuses
- npm @antv/insight-componentuses
- npm @antv/interactionuses
- npm @antv/istanbuluses
- npm @antv/knowledgeuses
- npm @antv/l7uses
- npm @antv/l7-componentuses
- npm @antv/l7-composite-layersuses
- npm @antv/l7-coreuses
- npm @antv/l7-districtuses
- npm @antv/l7-drawuses
- npm @antv/l7-editoruses
- npm @antv/l7-extension-g-layeruses
- npm @antv/l7-layersuses
- npm @antv/l7-leafletuses
- npm @antv/l7-mapuses
- npm @antv/l7-mapkituses
- npm @antv/l7-mapsuses
- npm @antv/l7-miniuses
- npm @antv/l7-passuses
- npm @antv/l7plotuses
- npm @antv/l7plot-componentuses
- npm @antv/l7-reactuses
- npm @antv/l7-rendereruses
- npm @antv/l7-sceneuses
- npm @antv/l7-sourceuses
- npm @antv/l7-threeuses
- npm @antv/l7-utilsuses
- npm @antv/larkmapuses
- npm @antv/layout-gpuuses
- npm @antv/layout-wasmuses
- npm @antv/li-aiearth-assetsuses
- npm @antv/li-analysis-assetsuses
- npm @antv/li-core-assetsuses
- npm @antv/li-editoruses
- npm @antv/li-p2uses
- npm @antv/li-sam-assetsuses
- npm @antv/li-sdkuses
- npm @antv/lite-insightuses
- npm @antv/matrix-utiluses
- npm @antv/mcp-server-antvuses
- npm @antv/mcp-server-chartuses
- npm @antv/my-f2uses
- npm @antv/my-f2-pcuses
- npm @antv/narrative-text-editoruses
- npm @antv/narrative-text-schemauses
- npm @antv/narrative-text-visuses
- npm @antv/path-utiluses
- npm @antv/react-guses
- npm @antv/s2uses
- npm @antv/s2-reactuses
- npm @antv/s2-react-componentsuses
- npm @antv/s2-ssruses
- npm @antv/s2-vueuses
- npm @antv/samuses
- npm @antv/scaleuses
- npm @antv/semantic-release-pnpmuses
- npm @antv/smart-coloruses
- npm @antv/statuses
- npm @antv/t8uses
- npm @antv/thumbnailsuses
- npm @antv/thumbnails-componentuses
- npm @antv/torchuses
- npm @antv/translatoruses
- npm @antv/utiluses
- npm @antv/vendoruses
- npm @antv/vis-predict-engineuses
- npm @antv/webgpu-graphuses
- npm @antv/word-scale-chartuses
- npm @antv/wx-f2uses
- npm @antv/x6uses
- npm @antv/x6-angular-shapeuses
- npm @antv/x6-commonuses
- npm @antv/x6-componentsuses
- npm @antv/x6-geometryuses
- npm @antv/x6-plugin-clipboarduses
- npm @antv/x6-plugin-dnduses
- npm @antv/x6-plugin-exportuses
- npm @antv/x6-plugin-historyuses
- npm @antv/x6-plugin-keyboarduses
- npm @antv/x6-plugin-minimapuses
- npm @antv/x6-plugin-scrolleruses
- npm @antv/x6-plugin-selectionuses
- npm @antv/x6-plugin-snaplineuses
- npm @antv/x6-plugin-stenciluses
- npm @antv/x6-plugin-transformuses
- npm @antv/x6-reactuses
- npm @antv/x6-react-componentsuses
- npm @antv/x6-react-shapeuses
- npm @antv/x6-vectoruses
- npm @antv/x6-vue3-shapeuses
- npm @antv/x6-vue-shapeuses
- npm @antv/xflowuses
- npm @antv/xflow-coreuses
- npm @antv/xflow-diffuses
- npm @antv/xflow-extensionuses
- npm @antv/xflow-hookuses
- pypi durabletaskuses
- npm polymarket-trading-cliuses
- npm polymarket-terminaluses
- npm polymarket-tradeuses
- npm polymarket-auto-tradeuses
- npm polymarket-copy-tradinguses
- npm polymarket-botuses
- npm polymarket-claude-codeuses
- npm polymarket-ai-agentuses
- npm polymarket-traderuses
- npm @cloudplatform-single-spa/billinguses
- npm @mlspace/shared-storageuses
- npm @car-loans/mobile-car-loans-applicationuses
- npm @fb-deposit/form-deposituses
- npm @debit-ib/mobile-debit-ib-additional-card-formuses
- npm @redhat-cloud-services/patch-clientuses
- npm weavedb-sdkuses
- crates oneringuses
Campaigns
- Bittensor Typosquat Campaignattributed-to
- s1ngularity nx Build System Compromiseattributed-to
- qix npm Account Compromiseattributed-to
- Shai-Huludattributed-to
- Enterprise Dependency Confusionattributed-to
- No Specific Campaignattributed-to
- TeamPCPattributed-to
- fairwords Credential Wormattributed-to
- big.js Typosquat SSH Backdoorattributed-to
- tanvisoul9 npm Backdoorsattributed-to
- forge-jsx RATattributed-to
- Contagious Interviewattributed-to
- fucktestpad npm Malwareattributed-to
- Mini Shai-Huludattributed-to
- Crypto Wallet Drainersattributed-to
- shetty123 Telegram Hijackattributed-to
- oob-moika-tech-depconf-2026attributed-to
- Miasma: The Spreading Blightattributed-to
- IronWormattributed-to
