{ "type": "Domain", "indicator": "calltan.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/calltan.com", "alexa": "http://www.alexa.com/siteinfo/calltan.com", "indicator": "calltan.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4294579243, "indicator": "calltan.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "69ce83659fb527eb96c998a2", "name": "Malicious Axios Packages Published to npm in New Supply Chain Compromise", "description": "A recent supply chain compromise has been identified affecting the widely utilized JavaScript HTTP client axios, wherein malicious versions of the package were published to npm using compromised maintainer credentials. The exploitation involves the deployment of a Remote Access Trojan (RAT) through a fabricated dependency labeled plain-crypto-js@4.2.1. Notably, this dependency is not directly imported by axios, functioning instead as a dropper that executes a postinstall script upon installation.", "modified": "2026-05-04T15:01:49.491000", "created": "2026-04-02T14:55:33.872000", "tags": [ "truesec", "post body", "temp", "cicd", "rotate npm", "monitor", "npm supplychain", "risk detection", "urls", "network", "remote access" ], "references": [ "https://www.truesec.com/hub/blog/malicious-axios-packages-npm-in-supply-chain-compromise", "https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan", "https://www.derp.ca/research/axios-npm-supply-chain-rat/", "https://socket.dev/blog/axios-npm-package-compromised", "https://socradar.io/blog/axios-npm-supply-chain-attack-2026-ciso-guide/", "https://www.malwarebytes.com/blog/news/2026/03/axios-supply-chain-attack-chops-away-at-npm-trust", "https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections", "https://www.crowdstrike.com/en-us/blog/stardust-chollima-likely-compromises-axios-npm-package/", "https://blog.nviso.eu/2026/04/03/the-axios-npm-supply-chain-incident-fake-dependency-real-backdoor/", "https://hunt.io/blog/axios-supply-chain-attack-ta444-bluenoroff", "https://www.zscaler.com/blogs/security-research/supply-chain-attacks-surge-march-2026", "https://blog.talosintelligence.com/axois-npm-supply-chain-incident/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 58, "FileHash-SHA1": 62, "FileHash-SHA256": 60, "URL": 28, "domain": 19, "email": 5, "hostname": 10, "CIDR": 2, "CVE": 2 }, "indicator_count": 246, "is_author": false, "is_subscribing": null, "subscriber_count": 545, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.zscaler.com/blogs/security-research/supply-chain-attacks-surge-march-2026", "https://socradar.io/blog/axios-npm-supply-chain-attack-2026-ciso-guide/", "https://www.malwarebytes.com/blog/news/2026/03/axios-supply-chain-attack-chops-away-at-npm-trust", "https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections", "https://socket.dev/blog/axios-npm-package-compromised", "https://www.derp.ca/research/axios-npm-supply-chain-rat/", "https://blog.talosintelligence.com/axois-npm-supply-chain-incident/", "https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan", "https://blog.nviso.eu/2026/04/03/the-axios-npm-supply-chain-incident-fake-dependency-real-backdoor/", "https://hunt.io/blog/axios-supply-chain-attack-ta444-bluenoroff", "https://www.crowdstrike.com/en-us/blog/stardust-chollima-likely-compromises-axios-npm-package/", "https://www.truesec.com/hub/blog/malicious-axios-packages-npm-in-supply-chain-compromise" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "69ce83659fb527eb96c998a2", "name": "Malicious Axios Packages Published to npm in New Supply Chain Compromise", "description": "A recent supply chain compromise has been identified affecting the widely utilized JavaScript HTTP client axios, wherein malicious versions of the package were published to npm using compromised maintainer credentials. The exploitation involves the deployment of a Remote Access Trojan (RAT) through a fabricated dependency labeled plain-crypto-js@4.2.1. Notably, this dependency is not directly imported by axios, functioning instead as a dropper that executes a postinstall script upon installation.", "modified": "2026-05-04T15:01:49.491000", "created": "2026-04-02T14:55:33.872000", "tags": [ "truesec", "post body", "temp", "cicd", "rotate npm", "monitor", "npm supplychain", "risk detection", "urls", "network", "remote access" ], "references": [ "https://www.truesec.com/hub/blog/malicious-axios-packages-npm-in-supply-chain-compromise", "https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan", "https://www.derp.ca/research/axios-npm-supply-chain-rat/", "https://socket.dev/blog/axios-npm-package-compromised", "https://socradar.io/blog/axios-npm-supply-chain-attack-2026-ciso-guide/", "https://www.malwarebytes.com/blog/news/2026/03/axios-supply-chain-attack-chops-away-at-npm-trust", "https://www.elastic.co/security-labs/axios-supply-chain-compromise-detections", "https://www.crowdstrike.com/en-us/blog/stardust-chollima-likely-compromises-axios-npm-package/", "https://blog.nviso.eu/2026/04/03/the-axios-npm-supply-chain-incident-fake-dependency-real-backdoor/", "https://hunt.io/blog/axios-supply-chain-attack-ta444-bluenoroff", "https://www.zscaler.com/blogs/security-research/supply-chain-attacks-surge-march-2026", "https://blog.talosintelligence.com/axois-npm-supply-chain-incident/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 58, "FileHash-SHA1": 62, "FileHash-SHA256": 60, "URL": 28, "domain": 19, "email": 5, "hostname": 10, "CIDR": 2, "CVE": 2 }, "indicator_count": 246, "is_author": false, "is_subscribing": null, "subscriber_count": 545, "modified_text": "28 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "calltan.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "calltan.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780327072.604819 }