{ "type": "URL", "indicator": "http://flipboxstudio.info/payload", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "http://flipboxstudio.info/payload", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4377330225, "indicator": "http://flipboxstudio.info/payload", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "6a145b5a874b4334862731ab", "name": "Supply Chain Attack Targets Laravel-Lang Packages with Credential Stealer", "description": "On May 22, 2026, a supply chain attack was detected targeting the Laravel-Lang packages, which involved the injection of credential-stealing code into three popular repositories. The attacker cleverly deployed malicious version tags that pointed to a fork containing the hazardous code without committing it to the official repositories. This approach exploited GitHub's functionality allowing version tags to be linked to different commits, enabling the execution of malicious code via Composer's autoloader feature.", "modified": "2026-05-25T14:23:22.719000", "created": "2026-05-25T14:23:22.719000", "tags": [ "c2 domain", "chrome", "windows", "winscp", "aikido user", "aikido", "laravellang", "github", "packagist", "linux", "exodus", "atomic", "phantom", "desktop" ], "references": [ "https://www.aikido.dev/blog/supply-chain-attack-targets-laravel-lang-packages-with-credential-stealer" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 1 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.aikido.dev/blog/supply-chain-attack-targets-laravel-lang-packages-with-credential-stealer" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 3 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/flipboxstudio.info", "whois": "http://whois.domaintools.com/flipboxstudio.info", "domain": "flipboxstudio.info", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "6a145b5a874b4334862731ab", "name": "Supply Chain Attack Targets Laravel-Lang Packages with Credential Stealer", "description": "On May 22, 2026, a supply chain attack was detected targeting the Laravel-Lang packages, which involved the injection of credential-stealing code into three popular repositories. The attacker cleverly deployed malicious version tags that pointed to a fork containing the hazardous code without committing it to the official repositories. This approach exploited GitHub's functionality allowing version tags to be linked to different commits, enabling the execution of malicious code via Composer's autoloader feature.", "modified": "2026-05-25T14:23:22.719000", "created": "2026-05-25T14:23:22.719000", "tags": [ "c2 domain", "chrome", "windows", "winscp", "aikido user", "aikido", "laravellang", "github", "packagist", "linux", "exodus", "atomic", "phantom", "desktop" ], "references": [ "https://www.aikido.dev/blog/supply-chain-attack-targets-laravel-lang-packages-with-credential-stealer" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2, "domain": 1 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "http://flipboxstudio.info/payload", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "http://flipboxstudio.info/payload", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780227931.323811 }