{ "type": "URL", "indicator": "https://git-tanstack.com/transformers.pyz", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://git-tanstack.com/transformers.pyz", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4355443804, "indicator": "https://git-tanstack.com/transformers.pyz", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "6a033148e786c959261ff66f", "name": "TanStack npm Packages Compromised in Ongoing Supply-Chain Attack", "description": "Socket detected 84 compromised TanStack npm package artifacts modified with credential-stealing malware targeting CI systems, including GitHub Actions. Affected packages like @tanstack/react-router have over 12 million weekly downloads. The malicious versions contain router_init.js, a heavily obfuscated file with daemonization capabilities and environment variable access for GitHub Actions secrets. The compromise exploited GitHub Actions cache poisoning and pull_request_target patterns to extract OIDC tokens and authenticate malicious npm publishes through trusted-publisher bindings. The malware harvests credentials from GitHub Actions, AWS (IMDS, Secrets Manager, SSM), HashiCorp Vault, and Kubernetes, while establishing persistence in Claude Code and VS Code directories. Exfiltration occurs through Session's decentralized P2P network. The campaign includes self-propagation mechanisms that steal npm OIDC tokens and autonomously republish compromised packages. Updates indicate expansion to OpenSearch, Mistr...", "modified": "2026-05-12T16:39:54.783000", "created": "2026-05-12T13:55:20.695000", "tags": [ "github actions", "supply-chain attack", "session p2p network", "oidc token theft", "credential stealer", "npm compromise", "ci/cd targeting", "router_init.js", "router_runtime.js", "mini shai-hulud", "tanstack_runner.js" ], "references": [ "https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack" ], "public": 1, "adversary": "TeamPCP", "targeted_countries": [], "malware_families": [ { "id": "router_init.js", "display_name": "router_init.js", "target": null }, { "id": "tanstack_runner.js", "display_name": "tanstack_runner.js", "target": null }, { "id": "router_runtime.js", "display_name": "router_runtime.js", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1552.005", "name": "Cloud Instance Metadata API", "display_name": "T1552.005 - Cloud Instance Metadata API" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1574.006", "name": "Dynamic Linker Hijacking", "display_name": "T1574.006 - Dynamic Linker Hijacking" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1098.001", "name": "Additional Cloud Credentials", "display_name": "T1098.001 - Additional Cloud Credentials" }, { "id": "T1087.004", "name": "Cloud Account", "display_name": "T1087.004 - Cloud Account" }, { "id": "T1136.003", "name": "Cloud Account", "display_name": "T1136.003 - Cloud Account" }, { "id": "T1204.003", "name": "Malicious Image", "display_name": "T1204.003 - Malicious Image" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1550.001", "name": "Application Access Token", "display_name": "T1550.001 - Application Access Token" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1552.007", "name": "Container API", "display_name": "T1552.007 - Container API" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 3, "FileHash-SHA256": 2, "URL": 1, "domain": 1 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 386583, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0c7064a0fb569bec85f393", "name": "Botnet_C2 | May 20, 2026", "description": "Botnet_C2 indicators. Date: May 20, 2026. Total: 1572 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-19T14:15:00.785000", "created": "2026-05-19T14:15:00.785000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "hostname": 110, "URL": 131, "domain": 106 }, "indicator_count": 352, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0b1ea5176db73afd03be92", "name": "Botnet_C2 | May 19, 2026", "description": "Botnet_C2 indicators. Date: May 19, 2026. Total: 1536 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-18T14:13:57.759000", "created": "2026-05-18T14:13:57.759000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "hostname": 164, "URL": 126, "domain": 100 }, "indicator_count": 395, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a09ccf25cc07a878047c587", "name": "Botnet_C2 | May 18, 2026", "description": "Botnet_C2 indicators. Date: May 18, 2026. Total: 1498 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-17T14:13:06.822000", "created": "2026-05-17T14:13:06.822000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "domain": 91, "hostname": 167, "URL": 110 }, "indicator_count": 373, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a087b722fa404577f1e5595", "name": "Botnet_C2 | May 17, 2026", "description": "Botnet_C2 indicators. Date: May 17, 2026. Total: 1324 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-16T14:13:06.540000", "created": "2026-05-16T14:13:06.540000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "URL": 109, "hostname": 167, "domain": 97 }, "indicator_count": 378, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a072a0676dcfed7790c60ab", "name": "Botnet_C2 | May 16, 2026", "description": "Botnet_C2 indicators. Date: May 16, 2026. Total: 1275 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-15T14:13:26.156000", "created": "2026-05-15T14:13:26.156000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "domain": 106, "hostname": 168, "URL": 103 }, "indicator_count": 382, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a05d87e1a72136955395ca3", "name": "Botnet_C2 | May 15, 2026", "description": "Botnet_C2 indicators. Date: May 15, 2026. Total: 1254 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-14T14:13:18.368000", "created": "2026-05-14T14:13:18.368000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "domain": 114, "hostname": 159, "URL": 111 }, "indicator_count": 389, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a04873aa32e956eec586c77", "name": "Botnet_C2 | May 14, 2026", "description": "Botnet_C2 indicators. Date: May 14, 2026. Total: 1170 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-13T14:14:18.218000", "created": "2026-05-13T14:14:18.218000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "hostname": 161, "URL": 112, "domain": 134 }, "indicator_count": 412, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a047bb5f2b9d59bf3636161", "name": "EbeeMay2026 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-13T13:25:09.112000", "created": "2026-05-13T13:25:09.112000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20250921 cve", "cve20260300 cve", "cve20261281 cve", "cve20261340 cve", "cve20261731 cve", "cve20261357 cve", "cve20259501 cve", "yara" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "URL": 45, "CVE": 23, "FileHash-MD5": 232, "FileHash-SHA1": 239, "FileHash-SHA256": 264, "domain": 130, "email": 3, "hostname": 41 }, "indicator_count": 1043, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0438987077d2025d7c1b2e", "name": "TeamPCP hits 160+ packages including OpenSearch and Mistral AI", "description": "A self-propagating npm worm identified as Mini Shai-Hulud has targeted over 170 npm packages and expanded into the Python Package Index (PyPI), specifically impacting high-profile clients such as the official OpenSearch JavaScript client and the Mistral AI packages. Named after the fictional creature from the \"Dune\" series, the attack has been attributed to a group calling themselves TeamPCP, which publicly claimed credit via a typosquatting domain associated with the npm packages.", "modified": "2026-05-13T08:38:48.280000", "created": "2026-05-13T08:38:48.280000", "tags": [ "malware", "npm security", "package security", "open source security", "threat intelligence", "vulnerability reporting", "teampcp", "opensearch", "mistral ai", "pypi", "session", "claude code", "vs code", "compromise", "iocs", "malicious", "pypi dropper", "love teampcp", "file hashes" ], "references": [ "https://opensourcemalware.com/blog/teampcp-mistralai-opensearch-compromised" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 3, "FileHash-SHA256": 2, "URL": 1, "domain": 1, "hostname": 1 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a040869301ab23a12b403da", "name": "TanStack npm Packages Compromised in Ongoing Supply-Chain Attack", "description": "", "modified": "2026-05-13T05:13:13.511000", "created": "2026-05-13T05:13:13.511000", "tags": [ "github actions", "supply-chain attack", "session p2p network", "oidc token theft", "credential stealer", "npm compromise", "ci/cd targeting", "router_init.js", "router_runtime.js", "mini shai-hulud", "tanstack_runner.js" ], "references": [ "https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack" ], "public": 1, "adversary": "TeamPCP", "targeted_countries": [], "malware_families": [ { "id": "router_init.js", "display_name": "router_init.js", "target": null }, { "id": "tanstack_runner.js", "display_name": "tanstack_runner.js", "target": null }, { "id": "router_runtime.js", "display_name": "router_runtime.js", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1552.005", "name": "Cloud Instance Metadata API", "display_name": "T1552.005 - Cloud Instance Metadata API" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1574.006", "name": "Dynamic Linker Hijacking", "display_name": "T1574.006 - Dynamic Linker Hijacking" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1098.001", "name": "Additional Cloud Credentials", "display_name": "T1098.001 - Additional Cloud Credentials" }, { "id": "T1087.004", "name": "Cloud Account", "display_name": "T1087.004 - Cloud Account" }, { "id": "T1136.003", "name": "Cloud Account", "display_name": "T1136.003 - Cloud Account" }, { "id": "T1204.003", "name": "Malicious Image", "display_name": "T1204.003 - Malicious Image" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1550.001", "name": "Application Access Token", "display_name": "T1550.001 - Application Access Token" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1552.007", "name": "Container API", "display_name": "T1552.007 - Container API" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": "6a033148e786c959261ff66f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 3, "FileHash-SHA256": 2, "URL": 1, "domain": 1 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0335a9ce1b312bb85367f7", "name": "Botnet_C2 | May 13, 2026", "description": "Botnet_C2 indicators. Date: May 13, 2026. Total: 1052 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-12T14:14:01.762000", "created": "2026-05-12T14:14:01.762000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "URL": 102, "domain": 140, "hostname": 165 }, "indicator_count": 412, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "19 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://ltna.com.au/cyber", "https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack", "https://opensourcemalware.com/blog/teampcp-mistralai-opensearch-compromised", "IOCs.csv" ], "related": { "alienvault": { "adversary": [ "TeamPCP" ], "malware_families": [ "Router_runtime.js", "Tanstack_runner.js", "Router_init.js" ], "industries": [ "Technology" ], "unique_indicators": 9 }, "other": { "adversary": [ "TeamPCP", "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053" ], "malware_families": [ "Router_runtime.js", "Tanstack_runner.js", "Router_init.js" ], "industries": [ "Technology" ], "unique_indicators": 1744 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/git-tanstack.com", "whois": "http://whois.domaintools.com/git-tanstack.com", "domain": "git-tanstack.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "6a033148e786c959261ff66f", "name": "TanStack npm Packages Compromised in Ongoing Supply-Chain Attack", "description": "Socket detected 84 compromised TanStack npm package artifacts modified with credential-stealing malware targeting CI systems, including GitHub Actions. Affected packages like @tanstack/react-router have over 12 million weekly downloads. The malicious versions contain router_init.js, a heavily obfuscated file with daemonization capabilities and environment variable access for GitHub Actions secrets. The compromise exploited GitHub Actions cache poisoning and pull_request_target patterns to extract OIDC tokens and authenticate malicious npm publishes through trusted-publisher bindings. The malware harvests credentials from GitHub Actions, AWS (IMDS, Secrets Manager, SSM), HashiCorp Vault, and Kubernetes, while establishing persistence in Claude Code and VS Code directories. Exfiltration occurs through Session's decentralized P2P network. The campaign includes self-propagation mechanisms that steal npm OIDC tokens and autonomously republish compromised packages. Updates indicate expansion to OpenSearch, Mistr...", "modified": "2026-05-12T16:39:54.783000", "created": "2026-05-12T13:55:20.695000", "tags": [ "github actions", "supply-chain attack", "session p2p network", "oidc token theft", "credential stealer", "npm compromise", "ci/cd targeting", "router_init.js", "router_runtime.js", "mini shai-hulud", "tanstack_runner.js" ], "references": [ "https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack" ], "public": 1, "adversary": "TeamPCP", "targeted_countries": [], "malware_families": [ { "id": "router_init.js", "display_name": "router_init.js", "target": null }, { "id": "tanstack_runner.js", "display_name": "tanstack_runner.js", "target": null }, { "id": "router_runtime.js", "display_name": "router_runtime.js", "target": null } ], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1552.005", "name": "Cloud Instance Metadata API", "display_name": "T1552.005 - Cloud Instance Metadata API" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1543.003", "name": "Windows Service", "display_name": "T1543.003 - Windows Service" }, { "id": "T1574.006", "name": "Dynamic Linker Hijacking", "display_name": "T1574.006 - Dynamic Linker Hijacking" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1098.001", "name": "Additional Cloud Credentials", "display_name": "T1098.001 - Additional Cloud Credentials" }, { "id": "T1087.004", "name": "Cloud Account", "display_name": "T1087.004 - Cloud Account" }, { "id": "T1136.003", "name": "Cloud Account", "display_name": "T1136.003 - Cloud Account" }, { "id": "T1204.003", "name": "Malicious Image", "display_name": "T1204.003 - Malicious Image" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1573.002", "name": "Asymmetric Cryptography", "display_name": "T1573.002 - Asymmetric Cryptography" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1550.001", "name": "Application Access Token", "display_name": "T1550.001 - Application Access Token" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1552.007", "name": "Container API", "display_name": "T1552.007 - Container API" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 3, "FileHash-SHA256": 2, "URL": 1, "domain": 1 }, "indicator_count": 9, "is_author": false, "is_subscribing": null, "subscriber_count": 386583, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0c7064a0fb569bec85f393", "name": "Botnet_C2 | May 20, 2026", "description": "Botnet_C2 indicators. Date: May 20, 2026. Total: 1572 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-19T14:15:00.785000", "created": "2026-05-19T14:15:00.785000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "hostname": 110, "URL": 131, "domain": 106 }, "indicator_count": 352, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0b1ea5176db73afd03be92", "name": "Botnet_C2 | May 19, 2026", "description": "Botnet_C2 indicators. Date: May 19, 2026. Total: 1536 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-18T14:13:57.759000", "created": "2026-05-18T14:13:57.759000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "hostname": 164, "URL": 126, "domain": 100 }, "indicator_count": 395, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "13 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a09ccf25cc07a878047c587", "name": "Botnet_C2 | May 18, 2026", "description": "Botnet_C2 indicators. Date: May 18, 2026. Total: 1498 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-17T14:13:06.822000", "created": "2026-05-17T14:13:06.822000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "domain": 91, "hostname": 167, "URL": 110 }, "indicator_count": 373, "is_author": false, "is_subscribing": null, "subscriber_count": 92, "modified_text": "14 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a087b722fa404577f1e5595", "name": "Botnet_C2 | May 17, 2026", "description": "Botnet_C2 indicators. Date: May 17, 2026. Total: 1324 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-16T14:13:06.540000", "created": "2026-05-16T14:13:06.540000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "URL": 109, "hostname": 167, "domain": 97 }, "indicator_count": 378, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "15 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a072a0676dcfed7790c60ab", "name": "Botnet_C2 | May 16, 2026", "description": "Botnet_C2 indicators. Date: May 16, 2026. Total: 1275 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-15T14:13:26.156000", "created": "2026-05-15T14:13:26.156000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "domain": 106, "hostname": 168, "URL": 103 }, "indicator_count": 382, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "16 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a05d87e1a72136955395ca3", "name": "Botnet_C2 | May 15, 2026", "description": "Botnet_C2 indicators. Date: May 15, 2026. Total: 1254 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-14T14:13:18.368000", "created": "2026-05-14T14:13:18.368000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "domain": 114, "hostname": 159, "URL": 111 }, "indicator_count": 389, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "17 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a04873aa32e956eec586c77", "name": "Botnet_C2 | May 14, 2026", "description": "Botnet_C2 indicators. Date: May 14, 2026. Total: 1170 indicators. For more threat intelligence visit https://ltna.com.au/cyber", "modified": "2026-05-13T14:14:18.218000", "created": "2026-05-13T14:14:18.218000", "tags": [ "botnet_c2" ], "references": [ "https://ltna.com.au/cyber" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "LTNA-Australia", "id": "380633", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_380633/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 5, "hostname": 161, "URL": 112, "domain": 134 }, "indicator_count": 412, "is_author": false, "is_subscribing": null, "subscriber_count": 93, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a047bb5f2b9d59bf3636161", "name": "EbeeMay2026 Pt2", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-13T13:25:09.112000", "created": "2026-05-13T13:25:09.112000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20250921 cve", "cve20260300 cve", "cve20261281 cve", "cve20261340 cve", "cve20261731 cve", "cve20261357 cve", "cve20259501 cve", "yara" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "JDownloader, DarkCloud, Chaos Ransomware, APT29, Shadow-Earth-053", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 66, "URL": 45, "CVE": 23, "FileHash-MD5": 232, "FileHash-SHA1": 239, "FileHash-SHA256": 264, "domain": 130, "email": 3, "hostname": 41 }, "indicator_count": 1043, "is_author": false, "is_subscribing": null, "subscriber_count": 41, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a0438987077d2025d7c1b2e", "name": "TeamPCP hits 160+ packages including OpenSearch and Mistral AI", "description": "A self-propagating npm worm identified as Mini Shai-Hulud has targeted over 170 npm packages and expanded into the Python Package Index (PyPI), specifically impacting high-profile clients such as the official OpenSearch JavaScript client and the Mistral AI packages. Named after the fictional creature from the \"Dune\" series, the attack has been attributed to a group calling themselves TeamPCP, which publicly claimed credit via a typosquatting domain associated with the npm packages.", "modified": "2026-05-13T08:38:48.280000", "created": "2026-05-13T08:38:48.280000", "tags": [ "malware", "npm security", "package security", "open source security", "threat intelligence", "vulnerability reporting", "teampcp", "opensearch", "mistral ai", "pypi", "session", "claude code", "vs code", "compromise", "iocs", "malicious", "pypi dropper", "love teampcp", "file hashes" ], "references": [ "https://opensourcemalware.com/blog/teampcp-mistralai-opensearch-compromised" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1195.001", "name": "Compromise Software Dependencies and Development Tools", "display_name": "T1195.001 - Compromise Software Dependencies and Development Tools" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 3, "FileHash-SHA256": 2, "URL": 1, "domain": 1, "hostname": 1 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "18 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://git-tanstack.com/transformers.pyz", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://git-tanstack.com/transformers.pyz", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780266768.5403283 }