{ "type": "URL", "indicator": "https://oob.moika.tech/payload", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://oob.moika.tech/payload", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4385127391, "indicator": "https://oob.moika.tech/payload", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 13, "pulses": [ { "id": "6a1a7e87ef88fc3d7707a033", "name": "Malicious npm packages abuse dependency confusion to profile developer environments", "description": "Microsoft Threat Intelligence identified an active supply chain attack involving malicious npm packages that employ dependency confusion techniques. Between May 28-29, 2026, a threat actor using three maintainer aliases published malicious packages across nine organizational scopes that mirror real corporate namespaces. The packages execute obfuscated reconnaissance payloads through npm lifecycle hooks, collecting system information, environment variables, and developer credentials. All packages connect to the same command-and-control server and deploy a 17KB JavaScript dropper designed for environment fingerprinting. The campaign includes platform-specific payloads for Windows, macOS, and Linux, with CI/CD detection bypass capabilities. The architecture operates in reconnaissance-only mode but supports server-side toggling for full exploitation. Forensic analysis indicates all three accounts are operated by a single individual, evidenced by shared C2 infrastructure, identical hardcoded authentication toke...", "modified": "2026-06-02T09:35:15.651000", "created": "2026-05-30T06:07:03.273000", "tags": [ "dependency confusion", "reconnaissance payload", "environment fingerprinting", "lifecycle hooks", "credential theft", "npm supply chain", "obfuscation", "ci/cd targeting" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/29/33-malicious-npm-packages-abuse-dependency-confusion-profile-developer-environments/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1574.001", "name": "DLL Search Order Hijacking", "display_name": "T1574.001 - DLL Search Order Hijacking" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1552.007", "name": "Container API", "display_name": "T1552.007 - Container API" } ], "industries": [ "Technology", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 7, "domain": 2, "hostname": 7 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 387155, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a205f1991ad79d5621cc305", "name": "wormsign \u2014 supply-chain: npm:@service-suppliers/select-supplier-watcher-saga", "description": "Wormsign detonated npm:@service-suppliers/select-supplier-watcher-saga in a network-sandboxed environment. Observed 7 indicator(s); 7 appear novel against OTX as of submission. The malicious package was published to the npm registry and is included in our open supply-chain indicator feed. Full context, per-IOC tier classification, and the detonation card with MITRE TTPs: https://wormsign.io/portfolio/@service-suppliers/select-supplier-watcher-saga. Search any IOC across the wormsign corpus: https://wormsign.io/?q=oob.moika.tech TLP:CLEAR \u2014 indicators only, no malware samples.", "modified": "2026-06-03T17:06:32.989000", "created": "2026-06-03T17:06:32.989000", "tags": [ "wormsign", "supply-chain", "npm", "package-compromise" ], "references": [ "https://wormsign.io/portfolio/@service-suppliers/select-supplier-watcher-saga", "https://wormsign.io" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "w0rmsign", "id": "408234", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_408234/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1, "URL": 6 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 12, "modified_text": "21 minutes ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a205f173077ef06329f7bd8", "name": "wormsign \u2014 supply-chain: npm:@service-suppliers/set_selected_supplier", "description": "Wormsign detonated npm:@service-suppliers/set_selected_supplier in a network-sandboxed environment. Observed 7 indicator(s); 7 appear novel against OTX as of submission. The malicious package was published to the npm registry and is included in our open supply-chain indicator feed. Full context, per-IOC tier classification, and the detonation card with MITRE TTPs: https://wormsign.io/portfolio/@service-suppliers/set_selected_supplier. Search any IOC across the wormsign corpus: https://wormsign.io/?q=oob.moika.tech TLP:CLEAR \u2014 indicators only, no malware samples.", "modified": "2026-06-03T17:06:31.327000", "created": "2026-06-03T17:06:31.327000", "tags": [ "wormsign", "supply-chain", "npm", "package-compromise" ], "references": [ "https://wormsign.io/portfolio/@service-suppliers/set_selected_supplier", "https://wormsign.io" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "w0rmsign", "id": "408234", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_408234/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1, "URL": 6 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 12, "modified_text": "21 minutes ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a205f16d15a457aee5f6cc2", "name": "wormsign \u2014 supply-chain: npm:@service-suppliers/suppliers", "description": "Wormsign detonated npm:@service-suppliers/suppliers in a network-sandboxed environment. Observed 7 indicator(s); 7 appear novel against OTX as of submission. The malicious package was published to the npm registry and is included in our open supply-chain indicator feed. Full context, per-IOC tier classification, and the detonation card with MITRE TTPs: https://wormsign.io/portfolio/@service-suppliers/suppliers. Search any IOC across the wormsign corpus: https://wormsign.io/?q=oob.moika.tech TLP:CLEAR \u2014 indicators only, no malware samples.", "modified": "2026-06-03T17:06:30.866000", "created": "2026-06-03T17:06:30.866000", "tags": [ "wormsign", "supply-chain", "npm", "package-compromise" ], "references": [ "https://wormsign.io/portfolio/@service-suppliers/suppliers", "https://wormsign.io" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "w0rmsign", "id": "408234", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_408234/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1, "URL": 6 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 12, "modified_text": "21 minutes ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a205f164d5f6fe934f66a90", "name": "wormsign \u2014 supply-chain: npm:@service-user-notifications/set_notifications_not_removable", "description": "Wormsign detonated npm:@service-user-notifications/set_notifications_not_removable in a network-sandboxed environment. Observed 7 indicator(s); 7 appear novel against OTX as of submission. The malicious package was published to the npm registry and is included in our open supply-chain indicator feed. Full context, per-IOC tier classification, and the detonation card with MITRE TTPs: https://wormsign.io/portfolio/@service-user-notifications/set_notifications_not_removable. Search any IOC across the wormsign corpus: https://wormsign.io/?q=oob.moika.tech TLP:CLEAR \u2014 indicators only, no malware samples.", "modified": "2026-06-03T17:06:30.108000", "created": "2026-06-03T17:06:30.108000", "tags": [ "wormsign", "supply-chain", "npm", "package-compromise" ], "references": [ "https://wormsign.io/portfolio/@service-user-notifications/set_notifications_not_removable", "https://wormsign.io" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "w0rmsign", "id": "408234", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_408234/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1, "URL": 6 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 12, "modified_text": "21 minutes ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a205f15bcdfffa8e0ec80f5", "name": "wormsign \u2014 supply-chain: npm:@service-user-notifications/set_refresh_interval", "description": "Wormsign detonated npm:@service-user-notifications/set_refresh_interval in a network-sandboxed environment. Observed 7 indicator(s); 7 appear novel against OTX as of submission. The malicious package was published to the npm registry and is included in our open supply-chain indicator feed. Full context, per-IOC tier classification, and the detonation card with MITRE TTPs: https://wormsign.io/portfolio/@service-user-notifications/set_refresh_interval. Search any IOC across the wormsign corpus: https://wormsign.io/?q=oob.moika.tech TLP:CLEAR \u2014 indicators only, no malware samples.", "modified": "2026-06-03T17:06:29.004000", "created": "2026-06-03T17:06:29.004000", "tags": [ "wormsign", "supply-chain", "npm", "package-compromise" ], "references": [ "https://wormsign.io/portfolio/@service-user-notifications/set_refresh_interval", "https://wormsign.io" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "w0rmsign", "id": "408234", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_408234/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1, "URL": 6 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 12, "modified_text": "21 minutes ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1ff4dbb0cde53c580a408f", "name": "Malicious npm packages abuse dependency confusion to profile developer environments", "description": "", "modified": "2026-06-03T09:33:15.366000", "created": "2026-06-03T09:33:15.366000", "tags": [ "dependency confusion", "reconnaissance payload", "environment fingerprinting", "lifecycle hooks", "credential theft", "npm supply chain", "obfuscation", "ci/cd targeting" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/29/33-malicious-npm-packages-abuse-dependency-confusion-profile-developer-environments/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1574.001", "name": "DLL Search Order Hijacking", "display_name": "T1574.001 - DLL Search Order Hijacking" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1552.007", "name": "Container API", "display_name": "T1552.007 - Container API" } ], "industries": [ "Technology", "Finance" ], "TLP": "white", "cloned_from": "6a1a7e87ef88fc3d7707a033", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7, "domain": 2, "hostname": 7 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "7 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1ff4ba759354190f1e5914", "name": "Malicious npm packages abuse dependency confusion to profile developer environments", "description": "", "modified": "2026-06-03T09:32:42.269000", "created": "2026-06-03T09:32:42.269000", "tags": [ "dependency confusion", "reconnaissance payload", "environment fingerprinting", "lifecycle hooks", "credential theft", "npm supply chain", "obfuscation", "ci/cd targeting" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/29/33-malicious-npm-packages-abuse-dependency-confusion-profile-developer-environments/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1574.001", "name": "DLL Search Order Hijacking", "display_name": "T1574.001 - DLL Search Order Hijacking" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1552.007", "name": "Container API", "display_name": "T1552.007 - Container API" } ], "industries": [ "Technology", "Finance" ], "TLP": "white", "cloned_from": "6a1a7e87ef88fc3d7707a033", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7, "domain": 2, "hostname": 7 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "7 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1a75eca3c17f09b2a4e8e1", "name": "wormsign \u2014 supply-chain: npm:@service-user-notifications/set_refresh_interval", "description": "Wormsign detonated npm:@service-user-notifications/set_refresh_interval in a network-sandboxed environment. Observed 8 indicator(s); 8 appear novel against OTX as of submission. The malicious package was published to the npm registry and is included in our open supply-chain indicator feed. Full context, per-IOC tier classification, and the detonation card with MITRE TTPs: https://wormsign.io/portfolio/@service-user-notifications/set_refresh_interval. TLP:CLEAR \u2014 indicators only, no malware samples.", "modified": "2026-05-30T07:32:07.715000", "created": "2026-05-30T05:30:20.234000", "tags": [ "wormsign", "supply-chain", "npm", "package-compromise" ], "references": [ "https://wormsign.io/portfolio/@service-user-notifications/set_refresh_interval", "https://wormsign.io" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "w0rmsign", "id": "408234", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_408234/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1, "URL": 6, "FileHash-SHA256": 1 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 12, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1a75ec39e87d2bf9d4422b", "name": "wormsign \u2014 supply-chain: npm:@service-user-notifications/set_notifications_not_removable", "description": "Wormsign detonated npm:@service-user-notifications/set_notifications_not_removable in a network-sandboxed environment. Observed 8 indicator(s); 8 appear novel against OTX as of submission. The malicious package was published to the npm registry and is included in our open supply-chain indicator feed. Full context, per-IOC tier classification, and the detonation card with MITRE TTPs: https://wormsign.io/portfolio/@service-user-notifications/set_notifications_not_removable. TLP:CLEAR \u2014 indicators only, no malware samples.", "modified": "2026-05-30T07:32:07.232000", "created": "2026-05-30T05:30:20.841000", "tags": [ "wormsign", "supply-chain", "npm", "package-compromise" ], "references": [ "https://wormsign.io/portfolio/@service-user-notifications/set_notifications_not_removable", "https://wormsign.io" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "w0rmsign", "id": "408234", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_408234/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1, "URL": 6, "FileHash-SHA256": 1 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 12, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1a75ed512a1530d3bd004b", "name": "wormsign \u2014 supply-chain: npm:@service-suppliers/suppliers", "description": "Wormsign detonated npm:@service-suppliers/suppliers in a network-sandboxed environment. Observed 8 indicator(s); 8 appear novel against OTX as of submission. The malicious package was published to the npm registry and is included in our open supply-chain indicator feed. Full context, per-IOC tier classification, and the detonation card with MITRE TTPs: https://wormsign.io/portfolio/@service-suppliers/suppliers. TLP:CLEAR \u2014 indicators only, no malware samples.", "modified": "2026-05-30T07:31:59.313000", "created": "2026-05-30T05:30:21.443000", "tags": [ "wormsign", "supply-chain", "npm", "package-compromise" ], "references": [ "https://wormsign.io/portfolio/@service-suppliers/suppliers", "https://wormsign.io" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "w0rmsign", "id": "408234", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_408234/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1, "URL": 6, "FileHash-SHA256": 1 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 12, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1a75ee2a55e68d7424a0d9", "name": "wormsign \u2014 supply-chain: npm:@service-suppliers/set_selected_supplier", "description": "Wormsign detonated npm:@service-suppliers/set_selected_supplier in a network-sandboxed environment. Observed 8 indicator(s); 8 appear novel against OTX as of submission. The malicious package was published to the npm registry and is included in our open supply-chain indicator feed. Full context, per-IOC tier classification, and the detonation card with MITRE TTPs: https://wormsign.io/portfolio/@service-suppliers/set_selected_supplier. TLP:CLEAR \u2014 indicators only, no malware samples.", "modified": "2026-05-30T07:31:58.953000", "created": "2026-05-30T05:30:22.198000", "tags": [ "wormsign", "supply-chain", "npm", "package-compromise" ], "references": [ "https://wormsign.io/portfolio/@service-suppliers/set_selected_supplier", "https://wormsign.io" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "w0rmsign", "id": "408234", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_408234/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1, "URL": 6, "FileHash-SHA256": 1 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 12, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1a75ef6fab76fcc5902fc4", "name": "wormsign \u2014 supply-chain: npm:@service-suppliers/select-supplier-watcher-saga", "description": "Wormsign detonated npm:@service-suppliers/select-supplier-watcher-saga in a network-sandboxed environment. Observed 8 indicator(s); 8 appear novel against OTX as of submission. The malicious package was published to the npm registry and is included in our open supply-chain indicator feed. Full context, per-IOC tier classification, and the detonation card with MITRE TTPs: https://wormsign.io/portfolio/@service-suppliers/select-supplier-watcher-saga. TLP:CLEAR \u2014 indicators only, no malware samples.", "modified": "2026-05-30T07:31:58.522000", "created": "2026-05-30T05:30:23.627000", "tags": [ "wormsign", "supply-chain", "npm", "package-compromise" ], "references": [ "https://wormsign.io/portfolio/@service-suppliers/select-supplier-watcher-saga", "https://wormsign.io" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "w0rmsign", "id": "408234", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_408234/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1, "URL": 6, "FileHash-SHA256": 1 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 12, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://wormsign.io/portfolio/@service-user-notifications/set_refresh_interval", "https://wormsign.io/portfolio/@service-suppliers/suppliers", "https://wormsign.io", "https://wormsign.io/portfolio/@service-user-notifications/set_notifications_not_removable", "https://www.microsoft.com/en-us/security/blog/2026/05/29/33-malicious-npm-packages-abuse-dependency-confusion-profile-developer-environments/", "https://wormsign.io/portfolio/@service-suppliers/select-supplier-watcher-saga", "https://wormsign.io/portfolio/@service-suppliers/set_selected_supplier" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [ "Finance", "Technology" ], "unique_indicators": 16 }, "other": { "adversary": [], "malware_families": [], "industries": [ "Finance", "Technology" ], "unique_indicators": 36 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/moika.tech", "whois": "http://whois.domaintools.com/moika.tech", "domain": "moika.tech", "hostname": "oob.moika.tech" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 13, "pulses": [ { "id": "6a1a7e87ef88fc3d7707a033", "name": "Malicious npm packages abuse dependency confusion to profile developer environments", "description": "Microsoft Threat Intelligence identified an active supply chain attack involving malicious npm packages that employ dependency confusion techniques. Between May 28-29, 2026, a threat actor using three maintainer aliases published malicious packages across nine organizational scopes that mirror real corporate namespaces. The packages execute obfuscated reconnaissance payloads through npm lifecycle hooks, collecting system information, environment variables, and developer credentials. All packages connect to the same command-and-control server and deploy a 17KB JavaScript dropper designed for environment fingerprinting. The campaign includes platform-specific payloads for Windows, macOS, and Linux, with CI/CD detection bypass capabilities. The architecture operates in reconnaissance-only mode but supports server-side toggling for full exploitation. Forensic analysis indicates all three accounts are operated by a single individual, evidenced by shared C2 infrastructure, identical hardcoded authentication toke...", "modified": "2026-06-02T09:35:15.651000", "created": "2026-05-30T06:07:03.273000", "tags": [ "dependency confusion", "reconnaissance payload", "environment fingerprinting", "lifecycle hooks", "credential theft", "npm supply chain", "obfuscation", "ci/cd targeting" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/29/33-malicious-npm-packages-abuse-dependency-confusion-profile-developer-environments/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1574.001", "name": "DLL Search Order Hijacking", "display_name": "T1574.001 - DLL Search Order Hijacking" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1552.007", "name": "Container API", "display_name": "T1552.007 - Container API" } ], "industries": [ "Technology", "Finance" ], "TLP": "white", "cloned_from": null, "export_count": 10, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 7, "domain": 2, "hostname": 7 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 387155, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a205f1991ad79d5621cc305", "name": "wormsign \u2014 supply-chain: npm:@service-suppliers/select-supplier-watcher-saga", "description": "Wormsign detonated npm:@service-suppliers/select-supplier-watcher-saga in a network-sandboxed environment. Observed 7 indicator(s); 7 appear novel against OTX as of submission. The malicious package was published to the npm registry and is included in our open supply-chain indicator feed. Full context, per-IOC tier classification, and the detonation card with MITRE TTPs: https://wormsign.io/portfolio/@service-suppliers/select-supplier-watcher-saga. Search any IOC across the wormsign corpus: https://wormsign.io/?q=oob.moika.tech TLP:CLEAR \u2014 indicators only, no malware samples.", "modified": "2026-06-03T17:06:32.989000", "created": "2026-06-03T17:06:32.989000", "tags": [ "wormsign", "supply-chain", "npm", "package-compromise" ], "references": [ "https://wormsign.io/portfolio/@service-suppliers/select-supplier-watcher-saga", "https://wormsign.io" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "w0rmsign", "id": "408234", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_408234/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1, "URL": 6 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 12, "modified_text": "21 minutes ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a205f173077ef06329f7bd8", "name": "wormsign \u2014 supply-chain: npm:@service-suppliers/set_selected_supplier", "description": "Wormsign detonated npm:@service-suppliers/set_selected_supplier in a network-sandboxed environment. Observed 7 indicator(s); 7 appear novel against OTX as of submission. The malicious package was published to the npm registry and is included in our open supply-chain indicator feed. Full context, per-IOC tier classification, and the detonation card with MITRE TTPs: https://wormsign.io/portfolio/@service-suppliers/set_selected_supplier. Search any IOC across the wormsign corpus: https://wormsign.io/?q=oob.moika.tech TLP:CLEAR \u2014 indicators only, no malware samples.", "modified": "2026-06-03T17:06:31.327000", "created": "2026-06-03T17:06:31.327000", "tags": [ "wormsign", "supply-chain", "npm", "package-compromise" ], "references": [ "https://wormsign.io/portfolio/@service-suppliers/set_selected_supplier", "https://wormsign.io" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "w0rmsign", "id": "408234", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_408234/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1, "URL": 6 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 12, "modified_text": "21 minutes ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a205f16d15a457aee5f6cc2", "name": "wormsign \u2014 supply-chain: npm:@service-suppliers/suppliers", "description": "Wormsign detonated npm:@service-suppliers/suppliers in a network-sandboxed environment. Observed 7 indicator(s); 7 appear novel against OTX as of submission. The malicious package was published to the npm registry and is included in our open supply-chain indicator feed. Full context, per-IOC tier classification, and the detonation card with MITRE TTPs: https://wormsign.io/portfolio/@service-suppliers/suppliers. Search any IOC across the wormsign corpus: https://wormsign.io/?q=oob.moika.tech TLP:CLEAR \u2014 indicators only, no malware samples.", "modified": "2026-06-03T17:06:30.866000", "created": "2026-06-03T17:06:30.866000", "tags": [ "wormsign", "supply-chain", "npm", "package-compromise" ], "references": [ "https://wormsign.io/portfolio/@service-suppliers/suppliers", "https://wormsign.io" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "w0rmsign", "id": "408234", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_408234/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1, "URL": 6 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 12, "modified_text": "21 minutes ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a205f164d5f6fe934f66a90", "name": "wormsign \u2014 supply-chain: npm:@service-user-notifications/set_notifications_not_removable", "description": "Wormsign detonated npm:@service-user-notifications/set_notifications_not_removable in a network-sandboxed environment. Observed 7 indicator(s); 7 appear novel against OTX as of submission. The malicious package was published to the npm registry and is included in our open supply-chain indicator feed. Full context, per-IOC tier classification, and the detonation card with MITRE TTPs: https://wormsign.io/portfolio/@service-user-notifications/set_notifications_not_removable. Search any IOC across the wormsign corpus: https://wormsign.io/?q=oob.moika.tech TLP:CLEAR \u2014 indicators only, no malware samples.", "modified": "2026-06-03T17:06:30.108000", "created": "2026-06-03T17:06:30.108000", "tags": [ "wormsign", "supply-chain", "npm", "package-compromise" ], "references": [ "https://wormsign.io/portfolio/@service-user-notifications/set_notifications_not_removable", "https://wormsign.io" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "w0rmsign", "id": "408234", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_408234/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1, "URL": 6 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 12, "modified_text": "21 minutes ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a205f15bcdfffa8e0ec80f5", "name": "wormsign \u2014 supply-chain: npm:@service-user-notifications/set_refresh_interval", "description": "Wormsign detonated npm:@service-user-notifications/set_refresh_interval in a network-sandboxed environment. Observed 7 indicator(s); 7 appear novel against OTX as of submission. The malicious package was published to the npm registry and is included in our open supply-chain indicator feed. Full context, per-IOC tier classification, and the detonation card with MITRE TTPs: https://wormsign.io/portfolio/@service-user-notifications/set_refresh_interval. Search any IOC across the wormsign corpus: https://wormsign.io/?q=oob.moika.tech TLP:CLEAR \u2014 indicators only, no malware samples.", "modified": "2026-06-03T17:06:29.004000", "created": "2026-06-03T17:06:29.004000", "tags": [ "wormsign", "supply-chain", "npm", "package-compromise" ], "references": [ "https://wormsign.io/portfolio/@service-user-notifications/set_refresh_interval", "https://wormsign.io" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "w0rmsign", "id": "408234", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_408234/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1, "URL": 6 }, "indicator_count": 7, "is_author": false, "is_subscribing": null, "subscriber_count": 12, "modified_text": "21 minutes ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1ff4dbb0cde53c580a408f", "name": "Malicious npm packages abuse dependency confusion to profile developer environments", "description": "", "modified": "2026-06-03T09:33:15.366000", "created": "2026-06-03T09:33:15.366000", "tags": [ "dependency confusion", "reconnaissance payload", "environment fingerprinting", "lifecycle hooks", "credential theft", "npm supply chain", "obfuscation", "ci/cd targeting" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/29/33-malicious-npm-packages-abuse-dependency-confusion-profile-developer-environments/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1574.001", "name": "DLL Search Order Hijacking", "display_name": "T1574.001 - DLL Search Order Hijacking" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1552.007", "name": "Container API", "display_name": "T1552.007 - Container API" } ], "industries": [ "Technology", "Finance" ], "TLP": "white", "cloned_from": "6a1a7e87ef88fc3d7707a033", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7, "domain": 2, "hostname": 7 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "7 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1ff4ba759354190f1e5914", "name": "Malicious npm packages abuse dependency confusion to profile developer environments", "description": "", "modified": "2026-06-03T09:32:42.269000", "created": "2026-06-03T09:32:42.269000", "tags": [ "dependency confusion", "reconnaissance payload", "environment fingerprinting", "lifecycle hooks", "credential theft", "npm supply chain", "obfuscation", "ci/cd targeting" ], "references": [ "https://www.microsoft.com/en-us/security/blog/2026/05/29/33-malicious-npm-packages-abuse-dependency-confusion-profile-developer-environments/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1574.001", "name": "DLL Search Order Hijacking", "display_name": "T1574.001 - DLL Search Order Hijacking" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1564.003", "name": "Hidden Window", "display_name": "T1564.003 - Hidden Window" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1552.007", "name": "Container API", "display_name": "T1552.007 - Container API" } ], "industries": [ "Technology", "Finance" ], "TLP": "white", "cloned_from": "6a1a7e87ef88fc3d7707a033", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 7, "domain": 2, "hostname": 7 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 278, "modified_text": "7 hours ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1a75eca3c17f09b2a4e8e1", "name": "wormsign \u2014 supply-chain: npm:@service-user-notifications/set_refresh_interval", "description": "Wormsign detonated npm:@service-user-notifications/set_refresh_interval in a network-sandboxed environment. Observed 8 indicator(s); 8 appear novel against OTX as of submission. The malicious package was published to the npm registry and is included in our open supply-chain indicator feed. Full context, per-IOC tier classification, and the detonation card with MITRE TTPs: https://wormsign.io/portfolio/@service-user-notifications/set_refresh_interval. TLP:CLEAR \u2014 indicators only, no malware samples.", "modified": "2026-05-30T07:32:07.715000", "created": "2026-05-30T05:30:20.234000", "tags": [ "wormsign", "supply-chain", "npm", "package-compromise" ], "references": [ "https://wormsign.io/portfolio/@service-user-notifications/set_refresh_interval", "https://wormsign.io" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "w0rmsign", "id": "408234", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_408234/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1, "URL": 6, "FileHash-SHA256": 1 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 12, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1a75ec39e87d2bf9d4422b", "name": "wormsign \u2014 supply-chain: npm:@service-user-notifications/set_notifications_not_removable", "description": "Wormsign detonated npm:@service-user-notifications/set_notifications_not_removable in a network-sandboxed environment. Observed 8 indicator(s); 8 appear novel against OTX as of submission. The malicious package was published to the npm registry and is included in our open supply-chain indicator feed. Full context, per-IOC tier classification, and the detonation card with MITRE TTPs: https://wormsign.io/portfolio/@service-user-notifications/set_notifications_not_removable. TLP:CLEAR \u2014 indicators only, no malware samples.", "modified": "2026-05-30T07:32:07.232000", "created": "2026-05-30T05:30:20.841000", "tags": [ "wormsign", "supply-chain", "npm", "package-compromise" ], "references": [ "https://wormsign.io/portfolio/@service-user-notifications/set_notifications_not_removable", "https://wormsign.io" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "w0rmsign", "id": "408234", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_408234/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1, "URL": 6, "FileHash-SHA256": 1 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 12, "modified_text": "4 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://oob.moika.tech/payload", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://oob.moika.tech/payload", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780507670.3758163 }