{ "type": "URL", "indicator": "https://www.jsonkeeper.com/b/OR0FN", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://www.jsonkeeper.com/b/OR0FN", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4237239286, "indicator": "https://www.jsonkeeper.com/b/OR0FN", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "6a1a8da2ea272b7ce8412743", "name": "wormsign \u2014 supply-chain: npm:reactify-utils", "description": "Wormsign detonated npm:reactify-utils in a network-sandboxed environment. Observed 6 indicator(s); 6 appear novel against OTX as of submission. The malicious package was published to the npm registry and is included in our open supply-chain indicator feed. Full context, per-IOC tier classification, and the detonation card with MITRE TTPs: https://wormsign.io/portfolio/reactify-utils. TLP:CLEAR \u2014 indicators only, no malware samples.", "modified": "2026-05-30T07:46:30.354000", "created": "2026-05-30T07:11:30.260000", "tags": [ "wormsign", "supply-chain", "npm", "package-compromise" ], "references": [ "https://wormsign.io/portfolio/reactify-utils", "https://wormsign.io" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "w0rmsign", "id": "408234", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_408234/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "FileHash-SHA256": 1 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 9, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a64eabf1247228cd91f305", "name": "North Korean Actors Abuse npm Ecosystem to Deliver Steganography-Based Malware", "description": "A look back at some of the most interesting snippets from the past week, as well as some interesting analysis of what might happen in the next few weeks. \u00c2\u00a31m-worth of malware.", "modified": "2026-04-02T02:10:40.173000", "created": "2026-03-03T02:59:55.403000", "tags": [ "javascript", "malware", "npm", "dprk", "appdata", "pastebin", "february", "famous chollima", "wednesday", "pm cdt", "edgar04231", "gemini", "next", "linux", "execution", "macos", "back", "\u2019m", "lazarus", "threat intelligence", "osint", "https", "apikey", "starlancer555", "thtduoje", "luka1291", "http", "millosmike3", "kaiserman1029", "crouchtomy", "holppkgaske6i75", "vlad", "malicious", "info", "august", "ottercookie", "beavertail", "april", "june", "contact" ], "references": [ "https://kmsec.uk/blog/dprk-text-steganography/", "https://dprk-research.kmsec.uk/?start=1733011200000" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "\u2019m", "display_name": "\u2019m", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "FileHash-SHA1": 10, "FileHash-SHA256": 379, "email": 76, "URL": 57, "domain": 21, "hostname": 34 }, "indicator_count": 589, "is_author": false, "is_subscribing": null, "subscriber_count": 59, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://wormsign.io/portfolio/reactify-utils", "https://kmsec.uk/blog/dprk-text-steganography/", "https://wormsign.io", "https://dprk-research.kmsec.uk/?start=1733011200000" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "\u2019m" ], "industries": [], "unique_indicators": 604 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/jsonkeeper.com", "whois": "http://whois.domaintools.com/jsonkeeper.com", "domain": "jsonkeeper.com", "hostname": "www.jsonkeeper.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "6a1a8da2ea272b7ce8412743", "name": "wormsign \u2014 supply-chain: npm:reactify-utils", "description": "Wormsign detonated npm:reactify-utils in a network-sandboxed environment. Observed 6 indicator(s); 6 appear novel against OTX as of submission. The malicious package was published to the npm registry and is included in our open supply-chain indicator feed. Full context, per-IOC tier classification, and the detonation card with MITRE TTPs: https://wormsign.io/portfolio/reactify-utils. TLP:CLEAR \u2014 indicators only, no malware samples.", "modified": "2026-05-30T07:46:30.354000", "created": "2026-05-30T07:11:30.260000", "tags": [ "wormsign", "supply-chain", "npm", "package-compromise" ], "references": [ "https://wormsign.io/portfolio/reactify-utils", "https://wormsign.io" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "w0rmsign", "id": "408234", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_408234/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 5, "FileHash-SHA256": 1 }, "indicator_count": 6, "is_author": false, "is_subscribing": null, "subscriber_count": 9, "modified_text": "2 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "69a64eabf1247228cd91f305", "name": "North Korean Actors Abuse npm Ecosystem to Deliver Steganography-Based Malware", "description": "A look back at some of the most interesting snippets from the past week, as well as some interesting analysis of what might happen in the next few weeks. \u00c2\u00a31m-worth of malware.", "modified": "2026-04-02T02:10:40.173000", "created": "2026-03-03T02:59:55.403000", "tags": [ "javascript", "malware", "npm", "dprk", "appdata", "pastebin", "february", "famous chollima", "wednesday", "pm cdt", "edgar04231", "gemini", "next", "linux", "execution", "macos", "back", "\u2019m", "lazarus", "threat intelligence", "osint", "https", "apikey", "starlancer555", "thtduoje", "luka1291", "http", "millosmike3", "kaiserman1029", "crouchtomy", "holppkgaske6i75", "vlad", "malicious", "info", "august", "ottercookie", "beavertail", "april", "june", "contact" ], "references": [ "https://kmsec.uk/blog/dprk-text-steganography/", "https://dprk-research.kmsec.uk/?start=1733011200000" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "\u2019m", "display_name": "\u2019m", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 12, "FileHash-SHA1": 10, "FileHash-SHA256": 379, "email": 76, "URL": 57, "domain": 21, "hostname": 34 }, "indicator_count": 589, "is_author": false, "is_subscribing": null, "subscriber_count": 59, "modified_text": "60 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://www.jsonkeeper.com/b/OR0FN", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://www.jsonkeeper.com/b/OR0FN", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780331006.858577 }