← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Hackers Flood NPM with Bogus Packages Causing a DoS Attack
WHITE parvesh4399 2023-04-10 Modified: 2023-05-10
39
IOCs
MEDIUM VOLUME
A month ago, the open-source npm (NPM) platform became unstable due to a flood of spam, SEO poisoning and malware.. and a Denial of Service (DoS) attack.
serviceunavailablepoisoninginservicethecampaignswecommandanyrundll sideloadinggluptebaredlinesmoke loader
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (39)
All URL domain email hostname
TYPEINDICATORDESCRIPTIONCREATED
URL http://163.123.143.4/download/Service_.vmp 2023-04-10
URL http://163.123.143.4/download/WWW14.bmp 2023-04-10
URL http://193.233.20.35/gallery/photo_007.exe 2023-04-10
URL http://194.110.203.101/puta/brazilx86.exe 2023-04-10
URL http://hugersi.com/dl/6523.exe 2023-04-10
URL http://15.204.49.142/files/123.exe d46cf0613b59437667abb20d4ed18e57204ce8e271056fca9fa0ad751969a70a 2023-04-10
URL http://163.123.143.4/download/Service.vmp 6858af2688d2e14af2f506e8a268045e38a9ee1a69759ded34c506c112910958 2023-04-10
URL http://193.233.20.29/games/category/Plugins/clip.dll 7705d3dc3b110aff6fd74fec7d343af5e49a0b7f696c231cc199ffaa6bf07053 2023-04-10
URL http://193.233.20.29/games/category/Plugins/cred.dll 3c8cc37a98346bd0123b35e5ccd87bd07d69914dae04f8b49f61c150d96e9d1f 2023-04-10
URL http://193.233.20.29/games/category/index.php 2023-04-10
URL http://208.67.104.60/api/firegate.php 2023-04-10
URL http://208.67.104.60/api/tracemap.php 2023-04-10
URL http://230320051222585.btl.jbc75.shop/f/fsbm0320.exe 2023-04-10
URL http://45.12.253.56/advertisting/plus.php?s=NOSUB&str=mixtwo&substr=mixinte 2023-04-10
URL http://45.12.253.72/default/puk.php 2023-04-10
URL http://45.12.253.72/default/stuk.php 2023-04-10
URL http://45.12.253.74/pineapple.php?pub=mixinte a6c73f9341487602a9a81dbc96f0fcb94219f607e3a7b98fc34a3a5f5d167519 2023-04-10
URL http://45.12.253.75/dll.php 2023-04-10
URL http://65.109.226.91/0ab626f8f67208ad.php 2023-04-10
URL http://94.142.138.113/api/firecom.php 2023-04-10
URL http://94.142.138.113/api/tracemap.php 2023-04-10
URL http://94.142.138.131/api/firegate.php 2023-04-10
URL http://94.142.138.131/api/tracemap.php 2023-04-10
URL http://aapu.at/tmp/ 2023-04-10
URL http://ji.ghwiwwff.com/m/oskg25 b4ea2b4b198552bd5507a504480d1efe41343c84c317de4ed44f571f608c8d47 2023-04-10
URL http://potunulit.org/ 2023-04-10
domain aapu.at 2023-04-10
domain bebekmanti.com 2023-04-10
domain beelowers.com 2023-04-10
domain dusti.co 2023-04-10
domain hugersi.com 2023-04-10
domain iplis.ru 2023-04-10
domain potunulit.org 2023-04-10
domain zeronetworks.com 2023-04-10
email supplychainsecurity@checkmarx.com 2023-04-10
hostname 230320051222585.btl.jbc75.shop 2023-04-10
hostname api2.check-data.xyz 2023-04-10
hostname ji.ghwiwwff.com 2023-04-10
hostname server13.cdneurops.pics 2023-04-10
References (1)
↗ https://medium.com/checkmarx-security/who-broke-npm-malicious-packages-flood-leading-to-denial-of-service-77ac707ddbf1