{ "type": "Domain", "indicator": "git-service.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/git-service.com", "alexa": "http://www.alexa.com/siteinfo/git-service.com", "indicator": "git-service.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4368638693, "indicator": "git-service.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6a12fc685c724f6f873953e6", "name": "EbeeMay2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:26:00.146000", "created": "2026-05-24T13:26:00.146000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20232868 cve", "cve20231389 cve", "cve20214034 cve", "cve20213493 cve" ], "references": [ "IOCs-MAY2.csv" ], "public": 1, "adversary": "Deploy Shai-Hulud Clones, Banana RAT, P2Pinfect Kubernetes Compromise, TamperedChef", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 71, "URL": 59, "FileHash-MD5": 169, "FileHash-SHA1": 153, "FileHash-SHA256": 225, "CIDR": 1, "CVE": 29, "domain": 128, "hostname": 111 }, "indicator_count": 946, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a10220a8beb26aae6cd4c06", "name": "Microsoft's durabletask PyPI Package Compromised in Supply Chain Attack", "description": "On May 19, 2026, the Microsoft durabletask Python SDK was compromised on PyPI, marking a significant supply chain attack. The attacker uploaded three malicious versions of the package (1.4.1, 1.4.2, and 1.4.3) within a short timeframe, bypassing Microsoft's GitHub repository's build pipeline using stolen publishing credentials. The malicious payload, consisting of 14 lines of Python code, acts as a dropper for a more complex modular cloud intrusion framework known as rope.pyz. This framework features multiple modules designed to exfiltrate sensitive data across major cloud platforms and systems, including AWS, Azure, and GCP.", "modified": "2026-05-22T09:29:46.651000", "created": "2026-05-22T09:29:46.651000", "tags": [ "pypi", "github", "c2 domain", "microsoft", "cicd", "kubernetes", "teampcp", "hardenrunner", "docker", "mini shaihulud", "babayaga", "firebird", "dropper", "hulud", "vault cli", "kb" ], "references": [ "https://www.stepsecurity.io/blog/microsofts-durabletask-pypi-package-compromised-in-supply-chain-attack" ], "public": 1, "adversary": "TeamPCP", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 7, "IPv4": 1, "URL": 5, "domain": 1, "hostname": 2 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e9548647274be6ed25228", "name": "GITHUB LEAK: YOUR CODE @\u00a0RISK! by THE RAVEN FILE", "description": "A leak of code from the code-sharing platform GitHub has been published online by TeamPCP, who had advertised a post on Breach Forum about the internal source of the site. Here is the complete breakdown of the leak analyzed by The Raven File", "modified": "2026-05-21T05:16:56.046000", "created": "2026-05-21T05:16:56.046000", "tags": [ "copilot", "teampcp", "failbot", "voltron", "ruby", "captcha", "logic", "lazarus", "team", "enterprise", "inside", "matrix", "cypherforce", "json" ], "references": [ "https://theravenfile.com/2026/05/20/github-leak-your-code-risk/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "CypherForce", "display_name": "CypherForce", "target": null }, { "id": "JSON", "display_name": "JSON", "target": null }, { "id": "Failbot", "display_name": "Failbot", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Bheeshmar", "id": "55168", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_55168/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "domain": 3 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "IOCs-MAY2.csv", "https://www.stepsecurity.io/blog/microsofts-durabletask-pypi-package-compromised-in-supply-chain-attack", "https://theravenfile.com/2026/05/20/github-leak-your-code-risk/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "TeamPCP", "Deploy Shai-Hulud Clones, Banana RAT, P2Pinfect Kubernetes Compromise, TamperedChef" ], "malware_families": [ "Cypherforce", "Json", "Failbot" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6a12fc685c724f6f873953e6", "name": "EbeeMay2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:26:00.146000", "created": "2026-05-24T13:26:00.146000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20232868 cve", "cve20231389 cve", "cve20214034 cve", "cve20213493 cve" ], "references": [ "IOCs-MAY2.csv" ], "public": 1, "adversary": "Deploy Shai-Hulud Clones, Banana RAT, P2Pinfect Kubernetes Compromise, TamperedChef", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 71, "URL": 59, "FileHash-MD5": 169, "FileHash-SHA1": 153, "FileHash-SHA256": 225, "CIDR": 1, "CVE": 29, "domain": 128, "hostname": 111 }, "indicator_count": 946, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "6 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a10220a8beb26aae6cd4c06", "name": "Microsoft's durabletask PyPI Package Compromised in Supply Chain Attack", "description": "On May 19, 2026, the Microsoft durabletask Python SDK was compromised on PyPI, marking a significant supply chain attack. The attacker uploaded three malicious versions of the package (1.4.1, 1.4.2, and 1.4.3) within a short timeframe, bypassing Microsoft's GitHub repository's build pipeline using stolen publishing credentials. The malicious payload, consisting of 14 lines of Python code, acts as a dropper for a more complex modular cloud intrusion framework known as rope.pyz. This framework features multiple modules designed to exfiltrate sensitive data across major cloud platforms and systems, including AWS, Azure, and GCP.", "modified": "2026-05-22T09:29:46.651000", "created": "2026-05-22T09:29:46.651000", "tags": [ "pypi", "github", "c2 domain", "microsoft", "cicd", "kubernetes", "teampcp", "hardenrunner", "docker", "mini shaihulud", "babayaga", "firebird", "dropper", "hulud", "vault cli", "kb" ], "references": [ "https://www.stepsecurity.io/blog/microsofts-durabletask-pypi-package-compromised-in-supply-chain-attack" ], "public": 1, "adversary": "TeamPCP", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 7, "IPv4": 1, "URL": 5, "domain": 1, "hostname": 2 }, "indicator_count": 25, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "9 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0e9548647274be6ed25228", "name": "GITHUB LEAK: YOUR CODE @\u00a0RISK! by THE RAVEN FILE", "description": "A leak of code from the code-sharing platform GitHub has been published online by TeamPCP, who had advertised a post on Breach Forum about the internal source of the site. Here is the complete breakdown of the leak analyzed by The Raven File", "modified": "2026-05-21T05:16:56.046000", "created": "2026-05-21T05:16:56.046000", "tags": [ "copilot", "teampcp", "failbot", "voltron", "ruby", "captcha", "logic", "lazarus", "team", "enterprise", "inside", "matrix", "cypherforce", "json" ], "references": [ "https://theravenfile.com/2026/05/20/github-leak-your-code-risk/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "CypherForce", "display_name": "CypherForce", "target": null }, { "id": "JSON", "display_name": "JSON", "target": null }, { "id": "Failbot", "display_name": "Failbot", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1546", "name": "Event Triggered Execution", "display_name": "T1546 - Event Triggered Execution" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Bheeshmar", "id": "55168", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_55168/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "domain": 3 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 82, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "git-service.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "git-service.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780224679.3033361 }