← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Supply Chain Attack IOCs - GitHub Pattern 38 + npm MUT-4831 (DugganUSA)
WHITE pduggusa 2025-11-30 Modified: 2025-12-30
7
IOCs
LOW VOLUME
Supply chain attacks via package repos and issue comments. Links to MUT-4831 (npm/Vidar) pulse 6910960e3c6a04215cbdbc63. Pattern 38 GitHub accounts, C2 infrastructure, malware hashes. STIX: analytics.dugganusa.com/api/v1/stix-feed
supply-chaingithubnpmvidarstealcpattern-38mut-4831typosquattingsocial-engineeringdugganusa
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Stealc Vidar Rhadamanthys
Indicators of Compromise (7)
All FileHash-SHA256 domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 23c909ea83cd7428a37189f228f4782693c1726381c886712135defca5924a68 18/70 VT detections 2025-11-30
domain bullethost.cloud Bulletproof hosting for npm package payloads. 2025-11-30
domain server24x.com Vidar C2 staging domain. 2025-11-30
FileHash-SHA256 aa49d14ddd6c0c24febab8dce52ce3835eb1c9280738978da70b1eae0d718925 Trojanized npm package payload. 2025-11-30
domain bullethost.cloud 2025-11-30
domain server24x.com 2025-11-30
FileHash-SHA256 aa49d14ddd6c0c24febab8dce52ce3835eb1c9280738978da70b1eae0d718925 2025-11-30
References (4)
↗ https://otx.alienvault.com/pulse/6910960e3c6a04215cbdbc63 ↗ https://analytics.dugganusa.com/api/v1/stix-feed ↗ https://www.dugganusa.com/post/pattern-38-github-supply-chain-attacks-use-stolen-developer-credentials-from-2023-breaches ↗ https://securitylabs.datadoghq.com/articles/mut-4831-trojanized-npm-packages-vidar/