{ "type": "URL", "indicator": "https://scan.aquasecurtiy.org", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://scan.aquasecurtiy.org", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4274485738, "indicator": "https://scan.aquasecurtiy.org", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "69bd18a7cc27dfdfaf6f56a4", "name": "Widespread GitHub Actions Tag Compromise Exposes CI/CD Secrets", "description": "A new supply chain attack targeting Trivy has compromised 75 out of 76 version tags in the aquasecurity/trivy-action GitHub repository. The attacker force-pushed these tags to serve malicious payloads, effectively turning trusted version references into a distribution mechanism for an infostealer. The malicious code executes within GitHub Actions runners, targeting sensitive data in CI/CD environments. It harvests secrets from runner process memory and the filesystem, encrypts the collected data, and exfiltrates it to an attacker-controlled endpoint or a fallback GitHub-based channel. The attack's scope is significant, potentially affecting over 10,000 workflow files on GitHub referencing this action.", "modified": "2026-03-20T21:05:12.398000", "created": "2026-03-20T09:51:35.029000", "tags": [ "ci/cd", "teampcp cloud stealer", "credential theft", "trivy", "infostealer", "supply chain attack", "typosquat", "github actions", "exfiltration" ], "references": [ "https://socket.dev/blog/trivy-under-attack-again-github-actions-compromise" ], "public": 1, "adversary": "TeamPCP", "targeted_countries": [], "malware_families": [ { "id": "TeamPCP Cloud stealer", "display_name": "TeamPCP Cloud stealer", "target": null } ], "attack_ids": [ { "id": "T1552.005", "name": "Cloud Instance Metadata API", "display_name": "T1552.005 - Cloud Instance Metadata API" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1552.004", "name": "Private Keys", "display_name": "T1552.004 - Private Keys" }, { "id": "T1552.003", "name": "Bash History", "display_name": "T1552.003 - Bash History" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1552.006", "name": "Group Policy Preferences", "display_name": "T1552.006 - Group Policy Preferences" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 1, "hostname": 1 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 377791, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ccd2f7984fad6feebb4ca4", "name": "VirusTotal report\n for index.html", "description": "The full text of the full report-to-gws, which was published on 1 April 2026, has been published online by the Csp website, following a request from the BBC>pretext .", "modified": "2026-04-01T08:44:36.825000", "created": "2026-04-01T08:10:31.621000", "tags": [ "self", "downlink rtt", "html document", "ascii text", "crlf line", "windows", "linux", "build web", "html", "javascript", "https", "acceptencoding", "cookie", "dynamic", "authorization", "contentmd5", "wp engine", "xmsedgeref ref", "bl2edge1520 ref", "expires sun", "gmt date", "gmt xcache", "tcphit", "gmt etag", "b8glwd", "afeap", "bmxagc", "e5bfse", "bgs6mb", "bjwmce", "ciztgb", "kqhykb", "cxxawb", "fevhcf", "code", "server", "registrar abuse", "admin country", "expiration date", "registry domain", "registrar iana", "creation date", "admin city", "redmond tech", "samesitelax", "path", "httponly", "secure", "priorityhigh", "gmt contenttype", "contentlength", "connection", "cfray", "accept", "anycast", "wifi display", "android", "hdtv", "anycast og", "anything", "big screen", "mobileoptimized", "try shopify", "platform", "businesses", "shopify fb", "shopify og", "snapchat", "chat", "snaps", "a snap", "utc google", "adobe dynamic", "tag management", "amazon", "utc amazon", "utc facebook", "connect na", "analytics na", "tag manager", "gdlname", "miss", "drupal", "miss xtimer", "ve9 xcache", "miss date", "gmt link", "build", "home og", "cloudfront", "iad6", "kb body", "sha256", "aspen", "aspen one", "return", "transformed og", "aioseo", "site kit", "google", "file type", "name file", "html internet", "unicode text", "utf8 text" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 238, "URL": 367, "domain": 80, "hostname": 155, "FileHash-MD5": 115, "FileHash-SHA1": 105, "email": 5, "IPv4": 40, "SSLCertFingerprint": 4 }, "indicator_count": 1109, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf253c0d01550b4e613cbf", "name": "Widespread GitHub Actions Tag Compromise Exposes CI/CD Secrets", "description": "", "modified": "2026-03-21T23:09:48.140000", "created": "2026-03-21T23:09:48.140000", "tags": [ "ci/cd", "teampcp cloud stealer", "credential theft", "trivy", "infostealer", "supply chain attack", "typosquat", "github actions", "exfiltration" ], "references": [ "https://socket.dev/blog/trivy-under-attack-again-github-actions-compromise" ], "public": 1, "adversary": "TeamPCP", "targeted_countries": [], "malware_families": [ { "id": "TeamPCP Cloud stealer", "display_name": "TeamPCP Cloud stealer", "target": null } ], "attack_ids": [ { "id": "T1552.005", "name": "Cloud Instance Metadata API", "display_name": "T1552.005 - Cloud Instance Metadata API" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1552.004", "name": "Private Keys", "display_name": "T1552.004 - Private Keys" }, { "id": "T1552.003", "name": "Bash History", "display_name": "T1552.003 - Bash History" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1552.006", "name": "Group Policy Preferences", "display_name": "T1552.006 - Group Policy Preferences" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" } ], "industries": [], "TLP": "white", "cloned_from": "69bd18a7cc27dfdfaf6f56a4", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 1, "hostname": 1 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "29 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://socket.dev/blog/trivy-under-attack-again-github-actions-compromise" ], "related": { "alienvault": { "adversary": [ "TeamPCP" ], "malware_families": [ "Teampcp cloud stealer" ], "industries": [], "unique_indicators": 4 }, "other": { "adversary": [ "TeamPCP" ], "malware_families": [ "Teampcp cloud stealer" ], "industries": [], "unique_indicators": 1020 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/aquasecurtiy.org", "whois": "http://whois.domaintools.com/aquasecurtiy.org", "domain": "aquasecurtiy.org", "hostname": "scan.aquasecurtiy.org" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "69bd18a7cc27dfdfaf6f56a4", "name": "Widespread GitHub Actions Tag Compromise Exposes CI/CD Secrets", "description": "A new supply chain attack targeting Trivy has compromised 75 out of 76 version tags in the aquasecurity/trivy-action GitHub repository. The attacker force-pushed these tags to serve malicious payloads, effectively turning trusted version references into a distribution mechanism for an infostealer. The malicious code executes within GitHub Actions runners, targeting sensitive data in CI/CD environments. It harvests secrets from runner process memory and the filesystem, encrypts the collected data, and exfiltrates it to an attacker-controlled endpoint or a fallback GitHub-based channel. The attack's scope is significant, potentially affecting over 10,000 workflow files on GitHub referencing this action.", "modified": "2026-03-20T21:05:12.398000", "created": "2026-03-20T09:51:35.029000", "tags": [ "ci/cd", "teampcp cloud stealer", "credential theft", "trivy", "infostealer", "supply chain attack", "typosquat", "github actions", "exfiltration" ], "references": [ "https://socket.dev/blog/trivy-under-attack-again-github-actions-compromise" ], "public": 1, "adversary": "TeamPCP", "targeted_countries": [], "malware_families": [ { "id": "TeamPCP Cloud stealer", "display_name": "TeamPCP Cloud stealer", "target": null } ], "attack_ids": [ { "id": "T1552.005", "name": "Cloud Instance Metadata API", "display_name": "T1552.005 - Cloud Instance Metadata API" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1552.004", "name": "Private Keys", "display_name": "T1552.004 - Private Keys" }, { "id": "T1552.003", "name": "Bash History", "display_name": "T1552.003 - Bash History" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1552.006", "name": "Group Policy Preferences", "display_name": "T1552.006 - Group Policy Preferences" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 17, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 1, "hostname": 1 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 377791, "modified_text": "30 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ccd2f7984fad6feebb4ca4", "name": "VirusTotal report\n for index.html", "description": "The full text of the full report-to-gws, which was published on 1 April 2026, has been published online by the Csp website, following a request from the BBC>pretext .", "modified": "2026-04-01T08:44:36.825000", "created": "2026-04-01T08:10:31.621000", "tags": [ "self", "downlink rtt", "html document", "ascii text", "crlf line", "windows", "linux", "build web", "html", "javascript", "https", "acceptencoding", "cookie", "dynamic", "authorization", "contentmd5", "wp engine", "xmsedgeref ref", "bl2edge1520 ref", "expires sun", "gmt date", "gmt xcache", "tcphit", "gmt etag", "b8glwd", "afeap", "bmxagc", "e5bfse", "bgs6mb", "bjwmce", "ciztgb", "kqhykb", "cxxawb", "fevhcf", "code", "server", "registrar abuse", "admin country", "expiration date", "registry domain", "registrar iana", "creation date", "admin city", "redmond tech", "samesitelax", "path", "httponly", "secure", "priorityhigh", "gmt contenttype", "contentlength", "connection", "cfray", "accept", "anycast", "wifi display", "android", "hdtv", "anycast og", "anything", "big screen", "mobileoptimized", "try shopify", "platform", "businesses", "shopify fb", "shopify og", "snapchat", "chat", "snaps", "a snap", "utc google", "adobe dynamic", "tag management", "amazon", "utc amazon", "utc facebook", "connect na", "analytics na", "tag manager", "gdlname", "miss", "drupal", "miss xtimer", "ve9 xcache", "miss date", "gmt link", "build", "home og", "cloudfront", "iad6", "kb body", "sha256", "aspen", "aspen one", "return", "transformed og", "aioseo", "site kit", "google", "file type", "name file", "html internet", "unicode text", "utf8 text" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1047", "name": "Windows Management Instrumentation", "display_name": "T1047 - Windows Management Instrumentation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1203", "name": "Exploitation for Client Execution", "display_name": "T1203 - Exploitation for Client Execution" }, { "id": "T1485", "name": "Data Destruction", "display_name": "T1485 - Data Destruction" }, { "id": "T1496", "name": "Resource Hijacking", "display_name": "T1496 - Resource Hijacking" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1542", "name": "Pre-OS Boot", "display_name": "T1542 - Pre-OS Boot" }, { "id": "T1564", "name": "Hide Artifacts", "display_name": "T1564 - Hide Artifacts" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1046", "name": "Network Service Scanning", "display_name": "T1046 - Network Service Scanning" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 238, "URL": 367, "domain": 80, "hostname": 155, "FileHash-MD5": 115, "FileHash-SHA1": 105, "email": 5, "IPv4": 40, "SSLCertFingerprint": 4 }, "indicator_count": 1109, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "19 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69bf253c0d01550b4e613cbf", "name": "Widespread GitHub Actions Tag Compromise Exposes CI/CD Secrets", "description": "", "modified": "2026-03-21T23:09:48.140000", "created": "2026-03-21T23:09:48.140000", "tags": [ "ci/cd", "teampcp cloud stealer", "credential theft", "trivy", "infostealer", "supply chain attack", "typosquat", "github actions", "exfiltration" ], "references": [ "https://socket.dev/blog/trivy-under-attack-again-github-actions-compromise" ], "public": 1, "adversary": "TeamPCP", "targeted_countries": [], "malware_families": [ { "id": "TeamPCP Cloud stealer", "display_name": "TeamPCP Cloud stealer", "target": null } ], "attack_ids": [ { "id": "T1552.005", "name": "Cloud Instance Metadata API", "display_name": "T1552.005 - Cloud Instance Metadata API" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1505.003", "name": "Web Shell", "display_name": "T1505.003 - Web Shell" }, { "id": "T1552.004", "name": "Private Keys", "display_name": "T1552.004 - Private Keys" }, { "id": "T1552.003", "name": "Bash History", "display_name": "T1552.003 - Bash History" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1552.006", "name": "Group Policy Preferences", "display_name": "T1552.006 - Group Policy Preferences" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.004", "name": "Unix Shell", "display_name": "T1059.004 - Unix Shell" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1078", "name": "Valid Accounts", "display_name": "T1078 - Valid Accounts" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1567.002", "name": "Exfiltration to Cloud Storage", "display_name": "T1567.002 - Exfiltration to Cloud Storage" }, { "id": "T1505", "name": "Server Software Component", "display_name": "T1505 - Server Software Component" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" } ], "industries": [], "TLP": "white", "cloned_from": "69bd18a7cc27dfdfaf6f56a4", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 1, "hostname": 1 }, "indicator_count": 4, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "29 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://scan.aquasecurtiy.org", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://scan.aquasecurtiy.org", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776713015.8795307 }