{ "type": "URL", "indicator": "https://api.npoint.io/96979650f5739bcbaebb", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://api.npoint.io/96979650f5739bcbaebb", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4119473346, "indicator": "https://api.npoint.io/96979650f5739bcbaebb", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "689c7d9c70e5cba54257d1a9", "name": "Uncovering a Web3 Interview Scam", "description": "A Ukrainian Web3 team's interview process involved cloning a GitHub repository containing malicious components. Analysis revealed the project replaced a legitimate dependency with a malicious NPM package, rtk-logger@1.11.5. This package collected sensitive data, including cryptocurrency wallet information, from popular browsers and uploaded it to an attacker-controlled server. The malware also implemented keylogging, screen capture, and clipboard monitoring. Two other GitHub accounts were found using a similar malicious package. The scam aimed to trick interviewees into executing malicious code, potentially leading to data leaks and asset theft. Developers are advised to exercise caution when handling unknown GitHub projects and to use isolated environments for execution.", "modified": "2025-08-13T15:39:30.729000", "created": "2025-08-13T11:57:16.849000", "tags": [ "redux-ace", "rtk-logger", "data theft", "web3", "npm package", "cryptocurrency", "github", "malware", "interview scam" ], "references": [ "https://slowmist.medium.com/threat-intelligence-uncovering-a-web3-interview-scam-bb366694b7f3" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "rtk-logger", "display_name": "rtk-logger", "target": null }, { "id": "redux-ace", "display_name": "redux-ace", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "URL": 4 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 386677, "modified_text": "291 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689dbd6fc683062764f4f07c", "name": "EbeeAugust2025 Pt2", "description": "", "modified": "2025-10-02T13:04:51.166000", "created": "2025-08-14T10:41:51.150000", "tags": [], "references": [ "Aug-Week2.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 476, "FileHash-SHA1": 551, "FileHash-SHA256": 521, "URL": 92, "domain": 216, "email": 2, "hostname": 68 }, "indicator_count": 1926, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "242 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68a39c3e7cf73961aaebaaa8", "name": "Malicious PyPI and npm Packages Exploits Dependencies in Supply Chain Attacks", "description": "A malicious PyPI package named termncolor was discovered which introduces\npersistence and remote code execution via its dependency colorinal.", "modified": "2025-09-17T21:01:12.337000", "created": "2025-08-18T21:33:50.097000", "tags": [ "urls", "hashes sha256" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 9, "hostname": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "256 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68a375790eb016d8cb794209", "name": "Malicious PyPI and npm Packages Exploits Dependencies in Supply Chain Attacks", "description": "A malicious PyPI package named termncolor was discovered which introduces\npersistence and remote code execution via its dependency colorinal. Termncolor had\n355 downloads, while colorinal saw 529 before both were removed.", "modified": "2025-09-17T18:02:18.847000", "created": "2025-08-18T18:48:25.614000", "tags": [ "urls", "hashes sha256" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 9, "hostname": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "256 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689c5d9aefce6221d0e33acf", "name": "Threat Intelligence: Uncovering a Web3 Interview Scam", "description": "", "modified": "2025-09-12T09:01:26.606000", "created": "2025-08-13T09:40:42.352000", "tags": [ "npm package", "license file", "chrome", "brave", "opera", "python script", "script", "github", "united nations", "web3 interview", "joker", "crypto" ], "references": [ "https://slowmist.medium.com/threat-intelligence-uncovering-a-web3-interview-scam-bb366694b7f3" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "URL": 18, "domain": 1, "hostname": 1 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "262 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "Aug-Week2.pdf", "https://slowmist.medium.com/threat-intelligence-uncovering-a-web3-interview-scam-bb366694b7f3" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Rtk-logger", "Redux-ace" ], "industries": [], "unique_indicators": 5 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 1022 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/npoint.io", "whois": "http://whois.domaintools.com/npoint.io", "domain": "npoint.io", "hostname": "api.npoint.io" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "689c7d9c70e5cba54257d1a9", "name": "Uncovering a Web3 Interview Scam", "description": "A Ukrainian Web3 team's interview process involved cloning a GitHub repository containing malicious components. Analysis revealed the project replaced a legitimate dependency with a malicious NPM package, rtk-logger@1.11.5. This package collected sensitive data, including cryptocurrency wallet information, from popular browsers and uploaded it to an attacker-controlled server. The malware also implemented keylogging, screen capture, and clipboard monitoring. Two other GitHub accounts were found using a similar malicious package. The scam aimed to trick interviewees into executing malicious code, potentially leading to data leaks and asset theft. Developers are advised to exercise caution when handling unknown GitHub projects and to use isolated environments for execution.", "modified": "2025-08-13T15:39:30.729000", "created": "2025-08-13T11:57:16.849000", "tags": [ "redux-ace", "rtk-logger", "data theft", "web3", "npm package", "cryptocurrency", "github", "malware", "interview scam" ], "references": [ "https://slowmist.medium.com/threat-intelligence-uncovering-a-web3-interview-scam-bb366694b7f3" ], "public": 1, "adversary": "", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "rtk-logger", "display_name": "rtk-logger", "target": null }, { "id": "redux-ace", "display_name": "redux-ace", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1588.002", "name": "Tool", "display_name": "T1588.002 - Tool" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1553.004", "name": "Install Root Certificate", "display_name": "T1553.004 - Install Root Certificate" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1027.002", "name": "Software Packing", "display_name": "T1027.002 - Software Packing" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "URL": 4 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 386677, "modified_text": "291 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689dbd6fc683062764f4f07c", "name": "EbeeAugust2025 Pt2", "description": "", "modified": "2025-10-02T13:04:51.166000", "created": "2025-08-14T10:41:51.150000", "tags": [], "references": [ "Aug-Week2.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 476, "FileHash-SHA1": 551, "FileHash-SHA256": 521, "URL": 92, "domain": 216, "email": 2, "hostname": 68 }, "indicator_count": 1926, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "242 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68a39c3e7cf73961aaebaaa8", "name": "Malicious PyPI and npm Packages Exploits Dependencies in Supply Chain Attacks", "description": "A malicious PyPI package named termncolor was discovered which introduces\npersistence and remote code execution via its dependency colorinal.", "modified": "2025-09-17T21:01:12.337000", "created": "2025-08-18T21:33:50.097000", "tags": [ "urls", "hashes sha256" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 9, "hostname": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "256 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68a375790eb016d8cb794209", "name": "Malicious PyPI and npm Packages Exploits Dependencies in Supply Chain Attacks", "description": "A malicious PyPI package named termncolor was discovered which introduces\npersistence and remote code execution via its dependency colorinal. Termncolor had\n355 downloads, while colorinal saw 529 before both were removed.", "modified": "2025-09-17T18:02:18.847000", "created": "2025-08-18T18:48:25.614000", "tags": [ "urls", "hashes sha256" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 9, "hostname": 1 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 500, "modified_text": "256 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "689c5d9aefce6221d0e33acf", "name": "Threat Intelligence: Uncovering a Web3 Interview Scam", "description": "", "modified": "2025-09-12T09:01:26.606000", "created": "2025-08-13T09:40:42.352000", "tags": [ "npm package", "license file", "chrome", "brave", "opera", "python script", "script", "github", "united nations", "web3 interview", "joker", "crypto" ], "references": [ "https://slowmist.medium.com/threat-intelligence-uncovering-a-web3-interview-scam-bb366694b7f3" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 27, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "URL": 18, "domain": 1, "hostname": 1 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "262 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://api.npoint.io/96979650f5739bcbaebb", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://api.npoint.io/96979650f5739bcbaebb", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780323024.8882875 }