{ "type": "Domain", "indicator": "git-tanstack.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/git-tanstack.com", "alexa": "http://www.alexa.com/siteinfo/git-tanstack.com", "indicator": "git-tanstack.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4355443803, "indicator": "git-tanstack.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 22, "pulses": [ { "id": "6a0f2710f906b2452e3b84d4", "name": "Mini Shai-Hulud Hits TanStack npm Packages", "description": "The Mini Shai-Hulud campaign compromised 84 npm package artifacts in the TanStack namespace with credential-stealing malware targeting continuous integration systems. On May 11, 2026, attackers published 84 malicious versions across 42 TanStack packages by chaining the pull_request_target pattern, GitHub Actions cache poisoning, and extracting OIDC tokens from runner process memory. The attack affected high-profile packages including @tanstack/react-router, which receives over 12 million weekly downloads. Wiz attributes this activity to TeamPCP, which has previously compromised SAP, Checkmarx, Bitwarden and other developer tools. The campaign expanded beyond TanStack to include OpenSearch npm versions, PyPI mistralai packages, and others, using three exfiltration routes including typosquatted domains, Session messenger network, and GitHub API dead drops.", "modified": "2026-05-21T16:01:41.793000", "created": "2026-05-21T15:38:56.088000", "tags": [ "Mini Shai-Hulud", "TanStack", "npm", "supply chain attack", "credential theft", "GitHub Actions", "OIDC token", "PyPI" ], "references": [ "https://www.infosecurity-magazine.com/news/mini-shai-hulud-tanstack-npm/" ], "public": 1, "adversary": "TeamPCP", "targeted_countries": [], "malware_families": [ { "id": "Mini Shai-Hulud", "display_name": "Mini Shai-Hulud", "target": null } ], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 1 }, "indicator_count": 1, "is_author": false, "is_subscribing": null, "subscriber_count": 386583, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a033148e786c959261ff66f", "name": "TanStack npm Packages Compromised in Ongoing Supply-Chain Attack", "description": "Socket detected 84 compromised TanStack npm package artifacts modified with credential-stealing malware targeting CI systems, including GitHub Actions. Affected packages like @tanstack/react-router have over 12 million weekly downloads. The malicious versions contain router_init.js, a heavily obfuscated file with daemonization capabilities and environment variable access for GitHub Actions secrets. The compromise exploited GitHub Actions cache poisoning and pull_request_target patterns to extract OIDC tokens and authenticate malicious npm publishes through trusted-publisher bindings. The malware harvests credentials from GitHub Actions, AWS (IMDS, Secrets Manager, SSM), HashiCorp Vault, and Kubernetes, while establishing persistence in Claude Code and VS Code directories. Exfiltration occurs through Session's decentralized P2P network. The campaign includes self-propagation mechanisms that steal npm OIDC tokens and autonomously republish compromised packages. Updates indicate expansion to OpenSearch, Mistr...", "modified": "2026-05-12T16:39:54.783000", "created": "2026-05-12T13:55:20.695000", "tags": [ "github actions", "supply-chain attack", "session p2p network", "oidc token theft", "credential stealer", "npm compromise", "ci/cd targeting", "router_init.js", "router_runtime.js", "mini shai-hulud", "tanstack_runner.js" ], "references": [ "https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack" ], "public": 1, "adversary": "TeamPCP", "targeted_countries": [], "malware_families": [ { "id": "router_init.js", "display_name": "router_init.js", "target": null }, { "id": "tanstack_runner.js", "display_name": "tanstack_runner.js", "target": null }, { "id": "router_runtime.js", "display_name": "router_runtime.js", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1552.005", "name": "Cloud Instance Metadata API", "display_name": "T1552.005 - Cloud Instance Metadata API" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1574.006", "name": "Dynamic Linker Hijacking", "display_name": "T1574.006 - Dynamic Linker Hijacking" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1098.001", "name": "Additional Cloud Credentials", "display_name": "T1098.001 - Additional Cloud Credentials" }, { "id": "T1087.004", "name": "Cloud Account", "display_name": "T1087.004 - Cloud Account" }, { "id": "T1136.003", "name": "Cloud Account", "display_name": "T1136.003 - Cloud Account" }, { "id": "T1204.003", "name": "Malicious Image", "display_name": "T1204.003 - Malicious Image" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1550.001", "name": "Application Access Token", "display_name": "T1550.001 - Application Access Token" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1552.007", "name": "Container API", "display_name": "T1552.007 - Container API" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 3, "FileHash-SHA256": 2, "URL": 1, "domain": 1 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 386583, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a066c749aa35a9b1f0af246", "name": "Decryption Digest Threat Intelligence", "description": "Curated IOC feed from Decryption Digest (decryptiondigest.com) \u2014 practitioner-level cybersecurity threat intelligence covering malware, ransomware, phishing, and advanced persistent threats.", "modified": "2026-05-30T12:20:13.434000", "created": "2026-05-15T00:44:34.237000", "tags": [ "BlueNoroff", "APT", "DPRK", "c2", "credential-stealer", "ShinyHunters", "UNC6661", "data-extortion", "vishing", "data-exfiltration", "AI phishing", "ValleyRAT", "Silver Fox", "UTG-Q-1000", "ABCDoor", "China APT", "tax phishing", "Okta credential theft", "SaaS extortion", "UNC6671", "SSO phishing", "marimo RCE", "AWS credential replay", "autonomous attack", "CVE-2026-39987", "LLM agent", "post-exploitation", "Cloudflare Workers egress", "lateral movement" ], "references": [ "https://www.decryptiondigest.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "thebangster", "id": "405150", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 36, "domain": 18, "hostname": 9, "FileHash-SHA256": 17 }, "indicator_count": 80, "is_author": false, "is_subscribing": null, "subscriber_count": 3, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-30T03:19:46.084000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 553236, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49967, "domain": 75353 }, "indicator_count": 125320, "is_author": false, "is_subscribing": null, "subscriber_count": 1727, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a12fbc0117778eaba6e378a", "name": "EbeeMay2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:23:12.428000", "created": "2026-05-24T13:23:12.428000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "rnuarbvf url", "z5brjsogj789", "da6ah3", "goceqc6sk" ], "references": [], "public": 1, "adversary": "Seedworm, Amadey Botnet, Sorry, Leveraging Rclone, Campaign Abuses Google Tag Manager", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 84, "URL": 63, "CVE": 21, "FileHash-MD5": 204, "FileHash-SHA1": 197, "FileHash-SHA256": 220, "domain": 122, "email": 13, "hostname": 99 }, "indicator_count": 1023, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "7 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a12844fc1060edd372d8d41", "name": "Mini Shai-Hulud Hits TanStack npm Packages", "description": "", "modified": "2026-05-24T04:53:35.742000", "created": "2026-05-24T04:53:35.742000", "tags": [ "Mini Shai-Hulud", "TanStack", "npm", "supply chain attack", "credential theft", "GitHub Actions", "OIDC token", "PyPI" ], "references": [ "https://www.infosecurity-magazine.com/news/mini-shai-hulud-tanstack-npm/" ], "public": 1, "adversary": "TeamPCP", "targeted_countries": [], "malware_families": [ { "id": "Mini Shai-Hulud", "display_name": "Mini Shai-Hulud", "target": null } ], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": "6a0f2710f906b2452e3b84d4", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1 }, "indicator_count": 1, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "7 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0c7064a0fb569bec85f393", "name": "Botnet_C2 | May 20, 2026", "description": "Botnet_C2 indicators. Date: May 20, 2026. Total: 1572 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-19T14:15:00.785000", "created": "2026-05-19T14:15:00.785000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "hostname": 110, "URL": 131, "domain": 106 }, "indicator_count": 352, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0b1ea5176db73afd03be92", "name": "Botnet_C2 | May 19, 2026", "description": "Botnet_C2 indicators. Date: May 19, 2026. Total: 1536 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-18T14:13:57.759000", "created": "2026-05-18T14:13:57.759000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "hostname": 164, "URL": 126, "domain": 100 }, "indicator_count": 395, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a09ccf25cc07a878047c587", "name": "Botnet_C2 | May 18, 2026", "description": "Botnet_C2 indicators. Date: May 18, 2026. Total: 1498 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-17T14:13:06.822000", "created": "2026-05-17T14:13:06.822000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "domain": 91, "hostname": 167, "URL": 110 }, "indicator_count": 373, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a099f8446d58b4203386ce1", "name": "TeamPCP supply chain attack hits TanStack", "description": "On May 11, 2026, a significant supply chain attack attributed to TeamPCP targeted TanStack, compromising 84 malicious versions of 42 npm packages. This attack utilized the pull_request_target feature of GitHub Actions without modifying the publish workflow or stealing npm tokens directly. Instead, it executed a sophisticated chain of three vulnerabilities in the Continuous Integration/Continuous Deployment (CI/CD) pipeline: abuse of the pull_request_target trigger, cache poisoning within GitHub Actions, and extraction of an OIDC token from the GitHub Actions runner's memory.", "modified": "2026-05-17T10:59:16.053000", "created": "2026-05-17T10:59:16.053000", "tags": [ "github actions", "mini shaihulud", "github", "tanstack", "teampcp", "oidc", "cicd", "shaihulud", "linux github", "oidc token", "level", "april", "malicious", "cloud", "persistence" ], "references": [ "https://www.threatlocker.com/blog/teampcp-supply-chain-attack-hits-tanstack" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003.007", "name": "Proc Filesystem", "display_name": "T1003.007 - Proc Filesystem" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 3, "FileHash-SHA256": 4, "IPv4": 1, "URL": 2, "domain": 1, "hostname": 1 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a087b722fa404577f1e5595", "name": "Botnet_C2 | May 17, 2026", "description": "Botnet_C2 indicators. Date: May 17, 2026. Total: 1324 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-16T14:13:06.540000", "created": "2026-05-16T14:13:06.540000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "URL": 109, "hostname": 167, "domain": 97 }, "indicator_count": 378, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a072a0676dcfed7790c60ab", "name": "Botnet_C2 | May 16, 2026", "description": "Botnet_C2 indicators. Date: May 16, 2026. Total: 1275 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-15T14:13:26.156000", "created": "2026-05-15T14:13:26.156000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "domain": 106, "hostname": 168, "URL": 103 }, "indicator_count": 382, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a061f29d457aa159ebd9ef1", "name": "ASDSDGDFGGF", "description": "", "modified": "2026-05-14T19:14:49.129000", "created": "2026-05-14T19:14:49.129000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 19, "FileHash-MD5": 70, "FileHash-SHA1": 22, "FileHash-SHA256": 27, "URL": 19, "domain": 5, "hostname": 8 }, "indicator_count": 170, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a05d87e1a72136955395ca3", "name": "Botnet_C2 | May 15, 2026", "description": "Botnet_C2 indicators. Date: May 15, 2026. Total: 1254 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-14T14:13:18.368000", "created": "2026-05-14T14:13:18.368000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "domain": 114, "hostname": 159, "URL": 111 }, "indicator_count": 389, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a04e457fd36871681034888", "name": "bhishmarlodndsaa", "description": "The full text of the text above the full translation of this page: www.beuskq/raw..com. and here is a full list of text-based descriptions:-.", "modified": "2026-05-13T20:51:35.181000", "created": "2026-05-13T20:51:35.181000", "tags": [ "indicator name", "ydznvjljcz6f7" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 16, "FileHash-MD5": 81, "FileHash-SHA1": 46, "FileHash-SHA256": 56, "URL": 3, "domain": 6, "hostname": 4 }, "indicator_count": 212, "is_author": false, "is_subscribing": null, "subscriber_count": 21, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a04873aa32e956eec586c77", "name": "Botnet_C2 | May 14, 2026", "description": "Botnet_C2 indicators. Date: May 14, 2026. Total: 1170 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-13T14:14:18.218000", "created": "2026-05-13T14:14:18.218000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "hostname": 161, "URL": 112, "domain": 134 }, "indicator_count": 412, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a047bb5f2b9d59bf3636161", "name": "EbeeMay2026 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-13T13:25:09.112000", "created": "2026-05-13T13:25:09.112000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20250921 cve", "cve20260300 cve", "cve20261281 cve", "cve20261340 cve", "cve20261731 cve", "cve20261357 cve", "cve20259501 cve", "yara" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "URL": 45, "CVE": 23, "FileHash-MD5": 232, "FileHash-SHA1": 239, "FileHash-SHA256": 264, "domain": 130, "email": 3, "hostname": 41 }, "indicator_count": 1043, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0438987077d2025d7c1b2e", "name": "TeamPCP hits 160+ packages including OpenSearch and Mistral AI", "description": "A self-propagating npm worm identified as Mini Shai-Hulud has targeted over 170 npm packages and expanded into the Python Package Index (PyPI), specifically impacting high-profile clients such as the official OpenSearch JavaScript client and the Mistral AI packages. Named after the fictional creature from the \"Dune\" series, the attack has been attributed to a group calling themselves TeamPCP, which publicly claimed credit via a typosquatting domain associated with the npm packages.", "modified": "2026-05-13T08:38:48.280000", "created": "2026-05-13T08:38:48.280000", "tags": [ "malware", "npm security", "package security", "open source security", "threat intelligence", "vulnerability reporting", "teampcp", "opensearch", "mistral ai", "pypi", "session", "claude code", "vs code", "compromise", "iocs", "malicious", "pypi dropper", "love teampcp", "file hashes" ], "references": [ "https://opensourcemalware.com/blog/teampcp-mistralai-opensearch-compromised" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 3, "FileHash-SHA256": 2, "URL": 1, "domain": 1, "hostname": 1 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a04333a1f4b0a7a6d4f7332", "name": "Mini Shai-Hulud Strikes Again: TanStack + more npm Packages Compromised", "description": "A recent coordinated supply chain attack, dubbed the Mini Shai-Hulud campaign, was executed by a threat actor group known as TeamPCP, targeting the npm and PyPi ecosystems on May 11, 2026. This attack compromised multiple high-value developer tools, particularly in the \n@tanstack\n and \n@uipath\n namespaces, with malicious versions of popular packages such as @tanstack/react-router and @uipath/apollo-core being among those affected. The attack was characterized by the exploitation of vulnerabilities in GitHub Actions, where the actor forked a legitimate repository, renamed it to evade detection, and subsequently executed malicious code that poisoned the GitHub Actions cache. This facilitated the extraction of OpenID Connect (OIDC) tokens from the GitHub Actions runners, enabling the unauthorized publication of the malicious package versions by bypassing npm credentials completely.", "modified": "2026-05-13T08:15:54.916000", "created": "2026-05-13T08:15:54.916000", "tags": [ "research", "threat intel", "strong", "github", "github actions", "mini shaihulud", "teampcp", "pypi", "tanstack", "oidc", "cicd", "notable", "mini", "macos", "python", "lightning", "persistence", "footer", "cloud", "uipath" ], "references": [ "https://www.wiz.io/blog/mini-shai-hulud-strikes-again-tanstack-more-npm-packages-compromised" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1480.001", "name": "Environmental Keying", "display_name": "T1480.001 - Environmental Keying" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" } ], "industries": [ "Aerospace" ], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 5, "FileHash-SHA256": 4, "IPv4": 1, "URL": 2, "domain": 1 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a040869301ab23a12b403da", "name": "TanStack npm Packages Compromised in Ongoing Supply-Chain Attack", "description": "", "modified": "2026-05-13T05:13:13.511000", "created": "2026-05-13T05:13:13.511000", "tags": [ "github actions", "supply-chain attack", "session p2p network", "oidc token theft", "credential stealer", "npm compromise", "ci/cd targeting", "router_init.js", "router_runtime.js", "mini shai-hulud", "tanstack_runner.js" ], "references": [ "https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack" ], "public": 1, "adversary": "TeamPCP", "targeted_countries": [], "malware_families": [ { "id": "router_init.js", "display_name": "router_init.js", "target": null }, { "id": "tanstack_runner.js", "display_name": "tanstack_runner.js", "target": null }, { "id": "router_runtime.js", "display_name": "router_runtime.js", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1552.005", "name": "Cloud Instance Metadata API", "display_name": "T1552.005 - Cloud Instance Metadata API" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1574.006", "name": "Dynamic Linker Hijacking", "display_name": "T1574.006 - Dynamic Linker Hijacking" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1098.001", "name": "Additional Cloud Credentials", "display_name": "T1098.001 - Additional Cloud Credentials" }, { "id": "T1087.004", "name": "Cloud Account", "display_name": "T1087.004 - Cloud Account" }, { "id": "T1136.003", "name": "Cloud Account", "display_name": "T1136.003 - Cloud Account" }, { "id": "T1204.003", "name": "Malicious Image", "display_name": "T1204.003 - Malicious Image" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1550.001", "name": "Application Access Token", "display_name": "T1550.001 - Application Access Token" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1552.007", "name": "Container API", "display_name": "T1552.007 - Container API" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": "6a033148e786c959261ff66f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 3, "FileHash-SHA256": 2, "URL": 1, "domain": 1 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a03d31008c4f4921c660161", "name": "Twitter Feed - SocketSecurity - 12-05-2026", "description": "", "modified": "2026-05-13T01:25:36.557000", "created": "2026-05-13T01:25:36.557000", "tags": [], "references": [ "https://x.com/SocketSecurity/status/2054048025081737446" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1, "URL": 1 }, "indicator_count": 2, "is_author": false, "is_subscribing": null, "subscriber_count": 1624, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0335a9ce1b312bb85367f7", "name": "Botnet_C2 | May 13, 2026", "description": "Botnet_C2 indicators. Date: May 13, 2026. Total: 1052 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-12T14:14:01.762000", "created": "2026-05-12T14:14:01.762000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "URL": 102, "domain": 140, "hostname": 165 }, "indicator_count": 412, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack", "https://opensourcemalware.com/blog/teampcp-mistralai-opensearch-compromised", "https://www.decryptiondigest.com", "https://www.infosecurity-magazine.com/news/mini-shai-hulud-tanstack-npm/", "https://www.wiz.io/blog/mini-shai-hulud-strikes-again-tanstack-more-npm-packages-compromised", "IOCs.csv", "https://www.threatlocker.com/blog/teampcp-supply-chain-attack-hits-tanstack", "https://x.com/SocketSecurity/status/2054048025081737446", "https://ltna.com.au/cyber" ], "related": { "alienvault": { "adversary": [ "TeamPCP" ], "malware_families": [ "Tanstack_runner.js", "Router_runtime.js", "Router_init.js", "Mini shai-hulud" ], "industries": [ "Technology" ] }, "other": { "adversary": [ "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053", "Seedworm, Amadey Botnet, Sorry, Leveraging Rclone, Campaign Abuses Google Tag Manager", "TeamPCP" ], "malware_families": [ "Tanstack_runner.js", "Router_runtime.js", "Router_init.js", "Mini shai-hulud" ], "industries": [ "Technology", "Aerospace" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 22, "pulses": [ { "id": "6a0f2710f906b2452e3b84d4", "name": "Mini Shai-Hulud Hits TanStack npm Packages", "description": "The Mini Shai-Hulud campaign compromised 84 npm package artifacts in the TanStack namespace with credential-stealing malware targeting continuous integration systems. On May 11, 2026, attackers published 84 malicious versions across 42 TanStack packages by chaining the pull_request_target pattern, GitHub Actions cache poisoning, and extracting OIDC tokens from runner process memory. The attack affected high-profile packages including @tanstack/react-router, which receives over 12 million weekly downloads. Wiz attributes this activity to TeamPCP, which has previously compromised SAP, Checkmarx, Bitwarden and other developer tools. The campaign expanded beyond TanStack to include OpenSearch npm versions, PyPI mistralai packages, and others, using three exfiltration routes including typosquatted domains, Session messenger network, and GitHub API dead drops.", "modified": "2026-05-21T16:01:41.793000", "created": "2026-05-21T15:38:56.088000", "tags": [ "Mini Shai-Hulud", "TanStack", "npm", "supply chain attack", "credential theft", "GitHub Actions", "OIDC token", "PyPI" ], "references": [ "https://www.infosecurity-magazine.com/news/mini-shai-hulud-tanstack-npm/" ], "public": 1, "adversary": "TeamPCP", "targeted_countries": [], "malware_families": [ { "id": "Mini Shai-Hulud", "display_name": "Mini Shai-Hulud", "target": null } ], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 1 }, "indicator_count": 1, "is_author": false, "is_subscribing": null, "subscriber_count": 386583, "modified_text": "10 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a033148e786c959261ff66f", "name": "TanStack npm Packages Compromised in Ongoing Supply-Chain Attack", "description": "Socket detected 84 compromised TanStack npm package artifacts modified with credential-stealing malware targeting CI systems, including GitHub Actions. Affected packages like @tanstack/react-router have over 12 million weekly downloads. The malicious versions contain router_init.js, a heavily obfuscated file with daemonization capabilities and environment variable access for GitHub Actions secrets. The compromise exploited GitHub Actions cache poisoning and pull_request_target patterns to extract OIDC tokens and authenticate malicious npm publishes through trusted-publisher bindings. The malware harvests credentials from GitHub Actions, AWS (IMDS, Secrets Manager, SSM), HashiCorp Vault, and Kubernetes, while establishing persistence in Claude Code and VS Code directories. Exfiltration occurs through Session's decentralized P2P network. The campaign includes self-propagation mechanisms that steal npm OIDC tokens and autonomously republish compromised packages. Updates indicate expansion to OpenSearch, Mistr...", "modified": "2026-05-12T16:39:54.783000", "created": "2026-05-12T13:55:20.695000", "tags": [ "github actions", "supply-chain attack", "session p2p network", "oidc token theft", "credential stealer", "npm compromise", "ci/cd targeting", "router_init.js", "router_runtime.js", "mini shai-hulud", "tanstack_runner.js" ], "references": [ "https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack" ], "public": 1, "adversary": "TeamPCP", "targeted_countries": [], "malware_families": [ { "id": "router_init.js", "display_name": "router_init.js", "target": null }, { "id": "tanstack_runner.js", "display_name": "tanstack_runner.js", "target": null }, { "id": "router_runtime.js", "display_name": "router_runtime.js", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1552.005", "name": "Cloud Instance Metadata API", "display_name": "T1552.005 - Cloud Instance Metadata API" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1574.006", "name": "Dynamic Linker Hijacking", "display_name": "T1574.006 - Dynamic Linker Hijacking" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1098.001", "name": "Additional Cloud Credentials", "display_name": "T1098.001 - Additional Cloud Credentials" }, { "id": "T1087.004", "name": "Cloud Account", "display_name": "T1087.004 - Cloud Account" }, { "id": "T1136.003", "name": "Cloud Account", "display_name": "T1136.003 - Cloud Account" }, { "id": "T1204.003", "name": "Malicious Image", "display_name": "T1204.003 - Malicious Image" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1550.001", "name": "Application Access Token", "display_name": "T1550.001 - Application Access Token" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1552.007", "name": "Container API", "display_name": "T1552.007 - Container API" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 3, "FileHash-SHA256": 2, "URL": 1, "domain": 1 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 386583, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a066c749aa35a9b1f0af246", "name": "Decryption Digest Threat Intelligence", "description": "Curated IOC feed from Decryption Digest (decryptiondigest.com) \u2014 practitioner-level cybersecurity threat intelligence covering malware, ransomware, phishing, and advanced persistent threats.", "modified": "2026-05-30T12:20:13.434000", "created": "2026-05-15T00:44:34.237000", "tags": [ "BlueNoroff", "APT", "DPRK", "c2", "credential-stealer", "ShinyHunters", "UNC6661", "data-extortion", "vishing", "data-exfiltration", "AI phishing", "ValleyRAT", "Silver Fox", "UTG-Q-1000", "ABCDoor", "China APT", "tax phishing", "Okta credential theft", "SaaS extortion", "UNC6671", "SSO phishing", "marimo RCE", "AWS credential replay", "autonomous attack", "CVE-2026-39987", "LLM agent", "post-exploitation", "Cloudflare Workers egress", "lateral movement" ], "references": [ "https://www.decryptiondigest.com" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "thebangster", "id": "405150", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 36, "domain": 18, "hostname": 9, "FileHash-SHA256": 17 }, "indicator_count": 80, "is_author": false, "is_subscribing": null, "subscriber_count": 3, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "5fa1852d337eca8e99c2ec32", "name": "Malware - Malware Domain Feed V2 - November 03 2020", "description": "Command and Control domains for Malware. These domains are extracted from a number of sources, and are suspicious.", "modified": "2026-05-30T03:19:46.084000", "created": "2020-11-03T16:28:29.011000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 553236, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 3, "follower_count": 0, "vote": 0, "author": { "username": "otxrobottwo", "id": "78495", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_78495/resized/80/avatar_ba5a8acdbd.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 49967, "domain": 75353 }, "indicator_count": 125320, "is_author": false, "is_subscribing": null, "subscriber_count": 1727, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a12fbc0117778eaba6e378a", "name": "EbeeMay2026 Pt3", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-24T13:23:12.428000", "created": "2026-05-24T13:23:12.428000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "rnuarbvf url", "z5brjsogj789", "da6ah3", "goceqc6sk" ], "references": [], "public": 1, "adversary": "Seedworm, Amadey Botnet, Sorry, Leveraging Rclone, Campaign Abuses Google Tag Manager", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 84, "URL": 63, "CVE": 21, "FileHash-MD5": 204, "FileHash-SHA1": 197, "FileHash-SHA256": 220, "domain": 122, "email": 13, "hostname": 99 }, "indicator_count": 1023, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "7 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a12844fc1060edd372d8d41", "name": "Mini Shai-Hulud Hits TanStack npm Packages", "description": "", "modified": "2026-05-24T04:53:35.742000", "created": "2026-05-24T04:53:35.742000", "tags": [ "Mini Shai-Hulud", "TanStack", "npm", "supply chain attack", "credential theft", "GitHub Actions", "OIDC token", "PyPI" ], "references": [ "https://www.infosecurity-magazine.com/news/mini-shai-hulud-tanstack-npm/" ], "public": 1, "adversary": "TeamPCP", "targeted_countries": [], "malware_families": [ { "id": "Mini Shai-Hulud", "display_name": "Mini Shai-Hulud", "target": null } ], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": "6a0f2710f906b2452e3b84d4", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 1 }, "indicator_count": 1, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "7 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0c7064a0fb569bec85f393", "name": "Botnet_C2 | May 20, 2026", "description": "Botnet_C2 indicators. Date: May 20, 2026. Total: 1572 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-19T14:15:00.785000", "created": "2026-05-19T14:15:00.785000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "hostname": 110, "URL": 131, "domain": 106 }, "indicator_count": 352, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a0b1ea5176db73afd03be92", "name": "Botnet_C2 | May 19, 2026", "description": "Botnet_C2 indicators. Date: May 19, 2026. Total: 1536 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-18T14:13:57.759000", "created": "2026-05-18T14:13:57.759000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "hostname": 164, "URL": 126, "domain": 100 }, "indicator_count": 395, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a09ccf25cc07a878047c587", "name": "Botnet_C2 | May 18, 2026", "description": "Botnet_C2 indicators. Date: May 18, 2026. Total: 1498 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-17T14:13:06.822000", "created": "2026-05-17T14:13:06.822000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "domain": 91, "hostname": 167, "URL": 110 }, "indicator_count": 373, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6a099f8446d58b4203386ce1", "name": "TeamPCP supply chain attack hits TanStack", "description": "On May 11, 2026, a significant supply chain attack attributed to TeamPCP targeted TanStack, compromising 84 malicious versions of 42 npm packages. This attack utilized the pull_request_target feature of GitHub Actions without modifying the publish workflow or stealing npm tokens directly. Instead, it executed a sophisticated chain of three vulnerabilities in the Continuous Integration/Continuous Deployment (CI/CD) pipeline: abuse of the pull_request_target trigger, cache poisoning within GitHub Actions, and extraction of an OIDC token from the GitHub Actions runner's memory.", "modified": "2026-05-17T10:59:16.053000", "created": "2026-05-17T10:59:16.053000", "tags": [ "github actions", "mini shaihulud", "github", "tanstack", "teampcp", "oidc", "cicd", "shaihulud", "linux github", "oidc token", "level", "april", "malicious", "cloud", "persistence" ], "references": [ "https://www.threatlocker.com/blog/teampcp-supply-chain-attack-hits-tanstack" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003.007", "name": "Proc Filesystem", "display_name": "T1003.007 - Proc Filesystem" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1543.001", "name": "Launch Agent", "display_name": "T1543.001 - Launch Agent" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 3, "FileHash-SHA256": 4, "IPv4": 1, "URL": 2, "domain": 1, "hostname": 1 }, "indicator_count": 14, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "git-tanstack.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "git-tanstack.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780266770.20784 }