{ "type": "URL", "indicator": "https://whereisitat.lucyatemysuperbox.space", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://whereisitat.lucyatemysuperbox.space", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4329313187, "indicator": "https://whereisitat.lucyatemysuperbox.space", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "69ef4b48b61dcb4f48409e68", "name": "Supply Chain Poisoning via PyPI Repository Compromise", "description": "Xinference, an open-source distributed AI model inference framework, suffered a supply chain attack when attackers compromised PyPI release credentials of maintainers and published three malicious versions (2.6.0, 2.6.1, 2.6.2) on April 22, 2026. The malicious code, encoded in Base64 layers within __init__.py, executes automatically upon library installation or import, collecting cloud credentials, SSH keys, API tokens, database passwords, cryptocurrency wallets, and environment variables. The payload specifically targets AWS environments through metadata service exploitation and uploads stolen data to attacker-controlled infrastructure. The attack affects users who downloaded these versions from PyPI, which has over 680,000 total downloads. Attribution remains unclear as TeamPCP's name appears in the code but the group denies involvement, suggesting third-party impersonation.", "modified": "2026-04-27T11:45:35.960000", "created": "2026-04-27T11:40:56.028000", "tags": [ "cloud exploitation", "supply chain attack", "pypi compromise", "base64 encoding", "xinference", "teampcp", "ai framework", "credential theft" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1552.005", "name": "Cloud Instance Metadata API", "display_name": "T1552.005 - Cloud Instance Metadata API" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1552.004", "name": "Private Keys", "display_name": "T1552.004 - Private Keys" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1552.003", "name": "Bash History", "display_name": "T1552.003 - Bash History" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1552.006", "name": "Group Policy Preferences", "display_name": "T1552.006 - Group Policy Preferences" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1552.007", "name": "Container API", "display_name": "T1552.007 - Container API" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA256": 2, "URL": 1, "hostname": 1 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 386452, "modified_text": "33 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f32d843b6570c22f6059eb", "name": "EbeeApril2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:23:00.416000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "filepath", "cve20221388 url", "cve20151770 cve", "client" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 163, "FileHash-SHA1": 147, "FileHash-SHA256": 290, "CIDR": 1, "CVE": 12, "SSLCertFingerprint": 1, "domain": 90, "email": 2, "hostname": 116 }, "indicator_count": 917, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "11 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f066fc4532f3cdb1c4496c", "name": "2025-07-09- Socket not responding: [Errno 104] Connection reset by peer", "description": "2025-07-09- Socket not responding: [Errno 104] Connection reset by peer.\nArin has assigned client who does not hold an aws account a server that is unsigned and expired (potentially) leaving amazon vulnerable. Rec: watch ai \"facts\" \"do you want to know\" and alexa skills for potential exploitation due to degrading systems which are not a company reflection rather an epic IP server and certificate failure worldwide, mostly United though. Attached are known and public sourcee APK Base IOCs.", "modified": "2026-05-29T00:06:38.152000", "created": "2026-04-28T07:51:24.539000", "tags": [ "date", "address range", "cidr", "network name", "allocation type", "whois server", "entity amazon4", "handle", "amazon", "net3128001", "net3168001" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 521, "FileHash-SHA1": 400, "FileHash-SHA256": 2258, "domain": 128, "hostname": 221, "CIDR": 3, "URL": 266 }, "indicator_count": 3797, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f066fdb68cb229059bbba0", "name": "2025-07-09- Socket not responding: [Errno 104] Connection reset by peer", "description": "2025-07-09- Socket not responding: [Errno 104] Connection reset by peer.\nArin has assigned client who does not hold an aws account a server that is unsigned and expired (potentially) leaving amazon vulnerable. Rec: watch ai \"facts\" \"do you want to know\" and alexa skills for potential exploitation due to degrading systems which are not a company reflection rather an epic IP server and certificate failure worldwide, mostly United though. Attached are known and public sourcee APK Base IOCs.", "modified": "2026-05-29T00:06:38.152000", "created": "2026-04-28T07:51:25.005000", "tags": [ "date", "address range", "cidr", "network name", "allocation type", "whois server", "entity amazon4", "handle", "amazon", "net3128001", "net3168001" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 430, "domain": 4, "hostname": 49, "CIDR": 3, "URL": 11 }, "indicator_count": 517, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f19278dc975438f266791b", "name": "Supply Chain Poisoning via PyPI Repository Compromise", "description": "", "modified": "2026-04-29T05:09:12.230000", "created": "2026-04-29T05:09:12.230000", "tags": [ "cloud exploitation", "supply chain attack", "pypi compromise", "base64 encoding", "xinference", "teampcp", "ai framework", "credential theft" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1552.005", "name": "Cloud Instance Metadata API", "display_name": "T1552.005 - Cloud Instance Metadata API" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1552.004", "name": "Private Keys", "display_name": "T1552.004 - Private Keys" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1552.003", "name": "Bash History", "display_name": "T1552.003 - Bash History" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1552.006", "name": "Group Policy Preferences", "display_name": "T1552.006 - Group Policy Preferences" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1552.007", "name": "Container API", "display_name": "T1552.007 - Container API" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": "69ef4b48b61dcb4f48409e68", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA256": 2, "URL": 1, "hostname": 1 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "31 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ee33a5338e44b3db2b4176", "name": "Xinference PyPI Supply Chain Poisoning Warning", "description": "On April 22, 2026, NSFOCUS CERT reported a supply chain poisoning incident involving the Xinference library on the Python Package Index (PyPI). Attackers compromised the release permission credentials of Xinference maintainers, leading to the release of three malicious library versions. These versions contained Trojans that, upon user execution, would exfiltrate sensitive data like cloud credentials, SSH keys, API tokens, database passwords, and environment variable configurations to the attackers' command and control (C2) server.", "modified": "2026-04-26T15:47:49.117000", "created": "2026-04-26T15:47:49.117000", "tags": [ "nsfocus", "april", "check", "xinference", "devnull", "nsfocus cert", "please", "pypi", "ssh key", "pypi warehouse", "sensitive", "python", "path", "grep", "service" ], "references": [ "https://nsfocusglobal.com/xinference-pypi-supply-chain-poisoning-warning/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1552.004", "name": "Private Keys", "display_name": "T1552.004 - Private Keys" } ], "industries": [ "Finance", "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA256": 2, "URL": 1, "hostname": 1 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "34 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://nsfocusglobal.com/xinference-pypi-supply-chain-poisoning-warning/", "IOCs.2026.csv" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [ "Technology" ], "unique_indicators": 10 }, "other": { "adversary": [ "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar" ], "malware_families": [], "industries": [ "Technology", "Telecommunications", "Finance" ], "unique_indicators": 2834 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/lucyatemysuperbox.space", "whois": "http://whois.domaintools.com/lucyatemysuperbox.space", "domain": "lucyatemysuperbox.space", "hostname": "whereisitat.lucyatemysuperbox.space" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "69ef4b48b61dcb4f48409e68", "name": "Supply Chain Poisoning via PyPI Repository Compromise", "description": "Xinference, an open-source distributed AI model inference framework, suffered a supply chain attack when attackers compromised PyPI release credentials of maintainers and published three malicious versions (2.6.0, 2.6.1, 2.6.2) on April 22, 2026. The malicious code, encoded in Base64 layers within __init__.py, executes automatically upon library installation or import, collecting cloud credentials, SSH keys, API tokens, database passwords, cryptocurrency wallets, and environment variables. The payload specifically targets AWS environments through metadata service exploitation and uploads stolen data to attacker-controlled infrastructure. The attack affects users who downloaded these versions from PyPI, which has over 680,000 total downloads. Attribution remains unclear as TeamPCP's name appears in the code but the group denies involvement, suggesting third-party impersonation.", "modified": "2026-04-27T11:45:35.960000", "created": "2026-04-27T11:40:56.028000", "tags": [ "cloud exploitation", "supply chain attack", "pypi compromise", "base64 encoding", "xinference", "teampcp", "ai framework", "credential theft" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1552.005", "name": "Cloud Instance Metadata API", "display_name": "T1552.005 - Cloud Instance Metadata API" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1552.004", "name": "Private Keys", "display_name": "T1552.004 - Private Keys" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1552.003", "name": "Bash History", "display_name": "T1552.003 - Bash History" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1552.006", "name": "Group Policy Preferences", "display_name": "T1552.006 - Group Policy Preferences" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1552.007", "name": "Container API", "display_name": "T1552.007 - Container API" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA256": 2, "URL": 1, "hostname": 1 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 386452, "modified_text": "33 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f32d843b6570c22f6059eb", "name": "EbeeApril2026 Pt8", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-05-30T10:03:42.474000", "created": "2026-04-30T10:23:00.416000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "yara", "filepath", "cve20221388 url", "cve20151770 cve", "client" ], "references": [ "IOCs.2026.csv" ], "public": 1, "adversary": "Trigona, SHub Stealer v2.0, Malicious Compiled HTML Help File, Vidar", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 95, "FileHash-MD5": 163, "FileHash-SHA1": 147, "FileHash-SHA256": 290, "CIDR": 1, "CVE": 12, "SSLCertFingerprint": 1, "domain": 90, "email": 2, "hostname": 116 }, "indicator_count": 917, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "11 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f066fc4532f3cdb1c4496c", "name": "2025-07-09- Socket not responding: [Errno 104] Connection reset by peer", "description": "2025-07-09- Socket not responding: [Errno 104] Connection reset by peer.\nArin has assigned client who does not hold an aws account a server that is unsigned and expired (potentially) leaving amazon vulnerable. Rec: watch ai \"facts\" \"do you want to know\" and alexa skills for potential exploitation due to degrading systems which are not a company reflection rather an epic IP server and certificate failure worldwide, mostly United though. Attached are known and public sourcee APK Base IOCs.", "modified": "2026-05-29T00:06:38.152000", "created": "2026-04-28T07:51:24.539000", "tags": [ "date", "address range", "cidr", "network name", "allocation type", "whois server", "entity amazon4", "handle", "amazon", "net3128001", "net3168001" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 521, "FileHash-SHA1": 400, "FileHash-SHA256": 2258, "domain": 128, "hostname": 221, "CIDR": 3, "URL": 266 }, "indicator_count": 3797, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f066fdb68cb229059bbba0", "name": "2025-07-09- Socket not responding: [Errno 104] Connection reset by peer", "description": "2025-07-09- Socket not responding: [Errno 104] Connection reset by peer.\nArin has assigned client who does not hold an aws account a server that is unsigned and expired (potentially) leaving amazon vulnerable. Rec: watch ai \"facts\" \"do you want to know\" and alexa skills for potential exploitation due to degrading systems which are not a company reflection rather an epic IP server and certificate failure worldwide, mostly United though. Attached are known and public sourcee APK Base IOCs.", "modified": "2026-05-29T00:06:38.152000", "created": "2026-04-28T07:51:25.005000", "tags": [ "date", "address range", "cidr", "network name", "allocation type", "whois server", "entity amazon4", "handle", "amazon", "net3128001", "net3168001" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 10, "FileHash-SHA1": 10, "FileHash-SHA256": 430, "domain": 4, "hostname": 49, "CIDR": 3, "URL": 11 }, "indicator_count": 517, "is_author": false, "is_subscribing": null, "subscriber_count": 67, "modified_text": "1 day ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69f19278dc975438f266791b", "name": "Supply Chain Poisoning via PyPI Repository Compromise", "description": "", "modified": "2026-04-29T05:09:12.230000", "created": "2026-04-29T05:09:12.230000", "tags": [ "cloud exploitation", "supply chain attack", "pypi compromise", "base64 encoding", "xinference", "teampcp", "ai framework", "credential theft" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1552.005", "name": "Cloud Instance Metadata API", "display_name": "T1552.005 - Cloud Instance Metadata API" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1555.003", "name": "Credentials from Web Browsers", "display_name": "T1555.003 - Credentials from Web Browsers" }, { "id": "T1552.004", "name": "Private Keys", "display_name": "T1552.004 - Private Keys" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1087", "name": "Account Discovery", "display_name": "T1087 - Account Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1552.003", "name": "Bash History", "display_name": "T1552.003 - Bash History" }, { "id": "T1552.001", "name": "Credentials In Files", "display_name": "T1552.001 - Credentials In Files" }, { "id": "T1552.006", "name": "Group Policy Preferences", "display_name": "T1552.006 - Group Policy Preferences" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1552.007", "name": "Container API", "display_name": "T1552.007 - Container API" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": "69ef4b48b61dcb4f48409e68", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA256": 2, "URL": 1, "hostname": 1 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "31 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69ee33a5338e44b3db2b4176", "name": "Xinference PyPI Supply Chain Poisoning Warning", "description": "On April 22, 2026, NSFOCUS CERT reported a supply chain poisoning incident involving the Xinference library on the Python Package Index (PyPI). Attackers compromised the release permission credentials of Xinference maintainers, leading to the release of three malicious library versions. These versions contained Trojans that, upon user execution, would exfiltrate sensitive data like cloud credentials, SSH keys, API tokens, database passwords, and environment variable configurations to the attackers' command and control (C2) server.", "modified": "2026-04-26T15:47:49.117000", "created": "2026-04-26T15:47:49.117000", "tags": [ "nsfocus", "april", "check", "xinference", "devnull", "nsfocus cert", "please", "pypi", "ssh key", "pypi warehouse", "sensitive", "python", "path", "grep", "service" ], "references": [ "https://nsfocusglobal.com/xinference-pypi-supply-chain-poisoning-warning/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.006", "name": "Python", "display_name": "T1059.006 - Python" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1552.004", "name": "Private Keys", "display_name": "T1552.004 - Private Keys" } ], "industries": [ "Finance", "Telecommunications" ], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 6, "FileHash-SHA256": 2, "URL": 1, "hostname": 1 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "34 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://whereisitat.lucyatemysuperbox.space", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://whereisitat.lucyatemysuperbox.space", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780176087.7797046 }