{ "type": "Domain", "indicator": "checkmarx.cx", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/checkmarx.cx", "alexa": "http://www.alexa.com/siteinfo/checkmarx.cx", "indicator": "checkmarx.cx", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4325472213, "indicator": "checkmarx.cx", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "69ec0475e74facdf3bf89ce1", "name": "The npm Threat Landscape: Attack Surface and Mitigations", "description": "The npm ecosystem experienced a critical shift in September 2025 with the Shai-Hulud worm, marking the transition from isolated attacks to systematic supply chain compromises. In April 2026, TeamPCP launched a coordinated campaign through a malicious @bitwarden/cli package targeting multiple distribution channels including Docker Hub, GitHub Actions, and VS Code extensions. The multi-stage payload employs advanced obfuscation, harvests credentials from cloud providers and developer workstations, exfiltrates data through encrypted HTTPS and GitHub repositories, and self-propagates by backdooring npm packages using stolen tokens. The malware implements GitHub's search API as a resilient command-and-control fallback mechanism and features anti-detection measures including Russian locale killswitches. This represents an evolution toward wormable propagation, infrastructure-level persistence, and dormant payloads that activate under specific conditions.", "modified": "2026-04-27T08:37:36.349000", "created": "2026-04-25T00:01:57.586000", "tags": [ "obfuscation", "worm propagation", "self-replicating malware", "credential harvesting", "npm packages", "ci/cd compromise", "shai-hulud", "github", "supply chain" ], "references": [ "https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/", "https://unit42.paloaltonetworks.com/wp-content/uploads/2026/04/05_Malware_Category_1920x900.jpg" ], "public": 1, "adversary": "TeamPCP", "targeted_countries": [], "malware_families": [ { "id": "Shai-Hulud", "display_name": "Shai-Hulud", "target": null } ], "attack_ids": [ { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1552.004", "name": "Private Keys", "display_name": "T1552.004 - Private Keys" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1087.004", "name": "Cloud Account", "display_name": "T1087.004 - Cloud Account" }, { "id": "T1554", "name": "Compromise Client Software Binary", "display_name": "T1554 - Compromise Client Software Binary" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1564.001", "name": "Hidden Files and Directories", "display_name": "T1564.001 - Hidden Files and Directories" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "FileHash-SHA256": 3, "URL": 1, "domain": 1, "hostname": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 386456, "modified_text": "33 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f32d843b6570c22f6059eb", "name": "EbeeApril2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:23:00.416000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "filepath", "cve20221388 url", "cve20151770 cve", "client" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 163, "FileHash-SHA1": 147, "FileHash-SHA256": 290, "CIDR": 1, "CVE": 12, "SSLCertFingerprint": 1, "domain": 90, "email": 2, "hostname": 116 }, "indicator_count": 917, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "12 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a06839ffcfce247f77b6e31", "name": "IOC - Analyzing TeamPCP\u2019s Supply Chain Attacks: Checkmarx KICS and elementary-data in CI/CD Credential Theft", "description": "TeamPCP has been identified as running a coordinated campaign from March 19 through April 24, with at least seven distinct waves identified. It finds trusted artifacts in developer tool chains, poisons the distribution channel using that project\u2019s own infrastructure, and harvests credentials before the project\u2019s maintainers or security monitoring catches the substitution. The targets span five programming ecosystems and three registry types.", "modified": "2026-05-15T02:23:27.027000", "created": "2026-05-15T02:23:27.027000", "tags": [ "checkmarx kics", "bitwarden", "bitwarden cli", "kics", "c2 domain", "10 mb", "kics elf", "docker", "cli loader", "cli payload", "python", "exfiltration", "prior", "shell" ], "references": [ "https://www.trendmicro.com/en_us/research/26/e/analyzing-teampcp-supply-chain-attacks.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 4, "FileHash-SHA256": 6, "IPv4": 3, "URL": 1, "domain": 2, "hostname": 2 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a047bb5f2b9d59bf3636161", "name": "EbeeMay2026 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-13T13:25:09.112000", "created": "2026-05-13T13:25:09.112000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20250921 cve", "cve20260300 cve", "cve20261281 cve", "cve20261340 cve", "cve20261731 cve", "cve20261357 cve", "cve20259501 cve", "yara" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "URL": 45, "CVE": 23, "FileHash-MD5": 232, "FileHash-SHA1": 239, "FileHash-SHA256": 264, "domain": 130, "email": 3, "hostname": 41 }, "indicator_count": 1043, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a023d1c0e550290a3ea3407", "name": "Ongoing Checkmarx Supply Chain Security Incident", "description": "On March 23, 2026, Checkmarx experienced a supply chain security incident related to compromised developer artifacts following the Trivy supply chain attack. Attackers exploited vulnerabilities in the Trivy scanner, potentially harvesting credentials from downstream users. This unauthorized access enabled them to publish malicious code to Checkmarx's GitHub repositories, where they interacted with the environment and published compromised versions of plugins.", "modified": "2026-05-11T20:33:32.260000", "created": "2026-05-11T20:33:32.260000", "tags": [ "file", "sha256", "window", "block", "march" ], "references": [ "https://checkmarx.com/blog/ongoing-security-updates/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "IPv4": 3, "domain": 2, "hostname": 2 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f05bee4159cfffc6b12a9f", "name": "The npm Threat Landscape: Attack Surface and Mitigations", "description": "", "modified": "2026-04-28T07:04:14.767000", "created": "2026-04-28T07:04:14.767000", "tags": [ "obfuscation", "worm propagation", "self-replicating malware", "credential harvesting", "npm packages", "ci/cd compromise", "shai-hulud", "github", "supply chain" ], "references": [ "https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/", "https://unit42.paloaltonetworks.com/wp-content/uploads/2026/04/05_Malware_Category_1920x900.jpg" ], "public": 1, "adversary": "TeamPCP", "targeted_countries": [], "malware_families": [ { "id": "Shai-Hulud", "display_name": "Shai-Hulud", "target": null } ], "attack_ids": [ { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1552.004", "name": "Private Keys", "display_name": "T1552.004 - Private Keys" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1087.004", "name": "Cloud Account", "display_name": "T1087.004 - Cloud Account" }, { "id": "T1554", "name": "Compromise Client Software Binary", "display_name": "T1554 - Compromise Client Software Binary" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1564.001", "name": "Hidden Files and Directories", "display_name": "T1564.001 - Hidden Files and Directories" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": "69ec0475e74facdf3bf89ce1", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "FileHash-SHA256": 3, "URL": 1, "domain": 1, "hostname": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "32 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/", "https://unit42.paloaltonetworks.com/wp-content/uploads/2026/04/05_Malware_Category_1920x900.jpg", "IOCs.csv", "https://www.trendmicro.com/en_us/research/26/e/analyzing-teampcp-supply-chain-attacks.html", "IOCs.2026.csv", "https://checkmarx.com/blog/ongoing-security-updates/" ], "related": { "alienvault": { "adversary": [ "TeamPCP" ], "malware_families": [ "Shai-hulud" ], "industries": [ "Technology" ] }, "other": { "adversary": [ "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053", "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "TeamPCP" ], "malware_families": [ "Shai-hulud" ], "industries": [ "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "69ec0475e74facdf3bf89ce1", "name": "The npm Threat Landscape: Attack Surface and Mitigations", "description": "The npm ecosystem experienced a critical shift in September 2025 with the Shai-Hulud worm, marking the transition from isolated attacks to systematic supply chain compromises. In April 2026, TeamPCP launched a coordinated campaign through a malicious @bitwarden/cli package targeting multiple distribution channels including Docker Hub, GitHub Actions, and VS Code extensions. The multi-stage payload employs advanced obfuscation, harvests credentials from cloud providers and developer workstations, exfiltrates data through encrypted HTTPS and GitHub repositories, and self-propagates by backdooring npm packages using stolen tokens. The malware implements GitHub's search API as a resilient command-and-control fallback mechanism and features anti-detection measures including Russian locale killswitches. This represents an evolution toward wormable propagation, infrastructure-level persistence, and dormant payloads that activate under specific conditions.", "modified": "2026-04-27T08:37:36.349000", "created": "2026-04-25T00:01:57.586000", "tags": [ "obfuscation", "worm propagation", "self-replicating malware", "credential harvesting", "npm packages", "ci/cd compromise", "shai-hulud", "github", "supply chain" ], "references": [ "https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/", "https://unit42.paloaltonetworks.com/wp-content/uploads/2026/04/05_Malware_Category_1920x900.jpg" ], "public": 1, "adversary": "TeamPCP", "targeted_countries": [], "malware_families": [ { "id": "Shai-Hulud", "display_name": "Shai-Hulud", "target": null } ], "attack_ids": [ { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1552.004", "name": "Private Keys", "display_name": "T1552.004 - Private Keys" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1087.004", "name": "Cloud Account", "display_name": "T1087.004 - Cloud Account" }, { "id": "T1554", "name": "Compromise Client Software Binary", "display_name": "T1554 - Compromise Client Software Binary" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1564.001", "name": "Hidden Files and Directories", "display_name": "T1564.001 - Hidden Files and Directories" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "FileHash-SHA256": 3, "URL": 1, "domain": 1, "hostname": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 386456, "modified_text": "33 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f32d843b6570c22f6059eb", "name": "EbeeApril2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:23:00.416000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "filepath", "cve20221388 url", "cve20151770 cve", "client" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 163, "FileHash-SHA1": 147, "FileHash-SHA256": 290, "CIDR": 1, "CVE": 12, "SSLCertFingerprint": 1, "domain": 90, "email": 2, "hostname": 116 }, "indicator_count": 917, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "12 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a06839ffcfce247f77b6e31", "name": "IOC - Analyzing TeamPCP\u2019s Supply Chain Attacks: Checkmarx KICS and elementary-data in CI/CD Credential Theft", "description": "TeamPCP has been identified as running a coordinated campaign from March 19 through April 24, with at least seven distinct waves identified. It finds trusted artifacts in developer tool chains, poisons the distribution channel using that project\u2019s own infrastructure, and harvests credentials before the project\u2019s maintainers or security monitoring catches the substitution. The targets span five programming ecosystems and three registry types.", "modified": "2026-05-15T02:23:27.027000", "created": "2026-05-15T02:23:27.027000", "tags": [ "checkmarx kics", "bitwarden", "bitwarden cli", "kics", "c2 domain", "10 mb", "kics elf", "docker", "cli loader", "cli payload", "python", "exfiltration", "prior", "shell" ], "references": [ "https://www.trendmicro.com/en_us/research/26/e/analyzing-teampcp-supply-chain-attacks.html" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 4, "FileHash-SHA256": 6, "IPv4": 3, "URL": 1, "domain": 2, "hostname": 2 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 138, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a047bb5f2b9d59bf3636161", "name": "EbeeMay2026 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-13T13:25:09.112000", "created": "2026-05-13T13:25:09.112000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20250921 cve", "cve20260300 cve", "cve20261281 cve", "cve20261340 cve", "cve20261731 cve", "cve20261357 cve", "cve20259501 cve", "yara" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "URL": 45, "CVE": 23, "FileHash-MD5": 232, "FileHash-SHA1": 239, "FileHash-SHA256": 264, "domain": 130, "email": 3, "hostname": 41 }, "indicator_count": 1043, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a023d1c0e550290a3ea3407", "name": "Ongoing Checkmarx Supply Chain Security Incident", "description": "On March 23, 2026, Checkmarx experienced a supply chain security incident related to compromised developer artifacts following the Trivy supply chain attack. Attackers exploited vulnerabilities in the Trivy scanner, potentially harvesting credentials from downstream users. This unauthorized access enabled them to publish malicious code to Checkmarx's GitHub repositories, where they interacted with the environment and published compromised versions of plugins.", "modified": "2026-05-11T20:33:32.260000", "created": "2026-05-11T20:33:32.260000", "tags": [ "file", "sha256", "window", "block", "march" ], "references": [ "https://checkmarx.com/blog/ongoing-security-updates/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 3, "IPv4": 3, "domain": 2, "hostname": 2 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69f05bee4159cfffc6b12a9f", "name": "The npm Threat Landscape: Attack Surface and Mitigations", "description": "", "modified": "2026-04-28T07:04:14.767000", "created": "2026-04-28T07:04:14.767000", "tags": [ "obfuscation", "worm propagation", "self-replicating malware", "credential harvesting", "npm packages", "ci/cd compromise", "shai-hulud", "github", "supply chain" ], "references": [ "https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/", "https://unit42.paloaltonetworks.com/wp-content/uploads/2026/04/05_Malware_Category_1920x900.jpg" ], "public": 1, "adversary": "TeamPCP", "targeted_countries": [], "malware_families": [ { "id": "Shai-Hulud", "display_name": "Shai-Hulud", "target": null } ], "attack_ids": [ { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1552.004", "name": "Private Keys", "display_name": "T1552.004 - Private Keys" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1087.004", "name": "Cloud Account", "display_name": "T1087.004 - Cloud Account" }, { "id": "T1554", "name": "Compromise Client Software Binary", "display_name": "T1554 - Compromise Client Software Binary" }, { "id": "T1098", "name": "Account Manipulation", "display_name": "T1098 - Account Manipulation" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1564.001", "name": "Hidden Files and Directories", "display_name": "T1564.001 - Hidden Files and Directories" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": "69ec0475e74facdf3bf89ce1", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "FileHash-SHA256": 3, "URL": 1, "domain": 1, "hostname": 1 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "32 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "checkmarx.cx", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "checkmarx.cx", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780180894.2617908 }