{ "type": "URL", "indicator": "http://sslifesciencelabs.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "http://sslifesciencelabs.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4097051398, "indicator": "http://sslifesciencelabs.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "687c0e8a3b8f3fc407dfd506", "name": "npm Phishing Email Targets Developers with Typosquatted Domain.", "description": "A recent phishing attack targeting developers employed a typosquatted domain, npnjs.com, designed to resemble the legitimate npm website. This sophisticated approach involved the use of a phishing email that spoofed the legitimate support email address of npm (support@npmjs.org) and urged recipients to log in through a carefully crafted link to the malicious site. The link led to a fake login page at npnjs.com/login?token=xx\u2026, where the token was likely intended to track user interaction or pre-fill information to make the phishing site appear more legitimate. This attack appeared to specifically target active package maintainers, particularly those with significant influence, as the maintainer involved manages packages that garner 34 million weekly downloads.", "modified": "2025-08-18T21:00:11.291000", "created": "2025-07-19T21:30:50.494000", "tags": [ "domain", "compromise", "iocs", "url phishing", "observed", "email artifacts", "spoofed", "dkim", "dmarc", "spfnone", "virustotal" ], "references": [ "https://socket.dev/blog/npm-phishing-email-targets-developers-with-typosquatted-domain" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1556.002", "name": "Password Filter DLL", "display_name": "T1556.002 - Password Filter DLL" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 20, "domain": 32, "hostname": 1, "email": 1, "FileHash-SHA256": 20 }, "indicator_count": 74, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "285 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://socket.dev/blog/npm-phishing-email-targets-developers-with-typosquatted-domain" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 75 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/sslifesciencelabs.com", "whois": "http://whois.domaintools.com/sslifesciencelabs.com", "domain": "sslifesciencelabs.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "687c0e8a3b8f3fc407dfd506", "name": "npm Phishing Email Targets Developers with Typosquatted Domain.", "description": "A recent phishing attack targeting developers employed a typosquatted domain, npnjs.com, designed to resemble the legitimate npm website. This sophisticated approach involved the use of a phishing email that spoofed the legitimate support email address of npm (support@npmjs.org) and urged recipients to log in through a carefully crafted link to the malicious site. The link led to a fake login page at npnjs.com/login?token=xx\u2026, where the token was likely intended to track user interaction or pre-fill information to make the phishing site appear more legitimate. This attack appeared to specifically target active package maintainers, particularly those with significant influence, as the maintainer involved manages packages that garner 34 million weekly downloads.", "modified": "2025-08-18T21:00:11.291000", "created": "2025-07-19T21:30:50.494000", "tags": [ "domain", "compromise", "iocs", "url phishing", "observed", "email artifacts", "spoofed", "dkim", "dmarc", "spfnone", "virustotal" ], "references": [ "https://socket.dev/blog/npm-phishing-email-targets-developers-with-typosquatted-domain" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1192", "name": "Spearphishing Link", "display_name": "T1192 - Spearphishing Link" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1556.002", "name": "Password Filter DLL", "display_name": "T1556.002 - Password Filter DLL" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1584.001", "name": "Domains", "display_name": "T1584.001 - Domains" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 20, "domain": 32, "hostname": 1, "email": 1, "FileHash-SHA256": 20 }, "indicator_count": 74, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "285 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "http://sslifesciencelabs.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "http://sslifesciencelabs.com", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780197657.4043999 }