{
  "schema": "cremit-ioc/v1",
  "generated_at": "2026-07-04T14:41:18.826Z",
  "package": {
    "ecosystem": "pypi",
    "name": "easy-tdx",
    "version": "1.0.0",
    "publisher": "Justin Gu",
    "sha256": "e0ec9952f766c49a064e0dab66a2673fb2a5bfee41719f0b97d7cc5f1cfac073",
    "tarball_url": "https://files.pythonhosted.org/packages/71/af/aabbaf0d5aa5120aa97fa2ca093ef36de8d3a3e33c4de461c52cca0a718b/easy_tdx-1.0.0.tar.gz",
    "weekly_downloads": null,
    "description": "通达信 TCP 协议行情数据客户端，支持在线行情与离线本地数据读取",
    "repository_url": "https://github.com/handsomejustin/easy_tdx",
    "first_published_at": "2026-05-22T04:34:46.425Z"
  },
  "classification": {
    "label": "malicious",
    "confidence": 0.9,
    "summary": "Hardcoded public IP destination: 180.153.18.170, 124.71.187.122, 180.153.18.171, 180.153.18.172, 119.147.212.81, 115.238.56.198, 115.238.90.165, 218.75.126.9, 47.107.75.159, 59.175.238.38, 110.41.147.114, 110.41.2.72, 101.33.225.16, 175.178.112.197, 175.178.128.227, 43.139.95.83, 124.223.163.242, 122.51.120.217, 150.158.160.2, 123.60.164.122, 111.229.247.189, 124.70.199.56, 62.234.50.143, 81.70.151.186, 82.156.214.79, 159.75.29.111, 43.139.18.171, 81.71.32.47, 122.51.232.182, 118.25.98.114, 121.36.225.169, 123.60.70.228, 123.60.73.44, 124.70.133.119, 124.71.187.72, 119.97.185.59, 129.204.230.128, 101.42.240.54, 124.71.9.153, 123.60.84.66, 111.230.186.52, 101.0.0.43 (not RFC1918 / loopback).",
    "provider": "ollama",
    "heuristic_score": 55,
    "disposition": "auto-published"
  },
  "references": {
    "npm_url": null,
    "pypi_url": "https://pypi.org/project/easy-tdx/1.0.0/",
    "osv_id": null,
    "osv_url": null,
    "package_page": "https://incidents.cremit.io/packages/pypi/easy-tdx"
  },
  "techniques": [
    {
      "id": "T1059",
      "name": "Command and Scripting Interpreter",
      "tactic": "Execution"
    },
    {
      "id": "T1059.006",
      "name": "Command and Scripting Interpreter: Python",
      "tactic": "Execution"
    },
    {
      "id": "T1071.001",
      "name": "Application Layer Protocol: Web Protocols",
      "tactic": "Command and Control"
    },
    {
      "id": "T1082",
      "name": "System Information Discovery",
      "tactic": "Discovery"
    },
    {
      "id": "T1140",
      "name": "Deobfuscate/Decode Files or Information",
      "tactic": "Defense Evasion"
    },
    {
      "id": "T1195.002",
      "name": "Supply Chain Compromise: Compromise Software Supply Chain",
      "tactic": "Initial Access"
    },
    {
      "id": "T1552.001",
      "name": "Unsecured Credentials: Credentials in Files",
      "tactic": "Credential Access"
    },
    {
      "id": "T1560",
      "name": "Archive Collected Data",
      "tactic": "Collection"
    },
    {
      "id": "T1567.002",
      "name": "Exfiltration Over Web Service",
      "tactic": "Exfiltration"
    }
  ],
  "indicators": {
    "network": {
      "urls": [],
      "ipv4": [
        "180.153.18.170",
        "124.71.187.122",
        "180.153.18.171",
        "180.153.18.172",
        "119.147.212.81",
        "115.238.56.198",
        "115.238.90.165",
        "218.75.126.9",
        "47.107.75.159",
        "59.175.238.38",
        "110.41.147.114",
        "110.41.2.72",
        "101.33.225.16",
        "175.178.112.197",
        "175.178.128.227",
        "43.139.95.83",
        "124.223.163.242",
        "122.51.120.217",
        "150.158.160.2",
        "123.60.164.122",
        "111.229.247.189",
        "124.70.199.56",
        "62.234.50.143",
        "81.70.151.186",
        "82.156.214.79",
        "159.75.29.111",
        "43.139.18.171",
        "81.71.32.47",
        "122.51.232.182",
        "118.25.98.114",
        "121.36.225.169",
        "123.60.70.228",
        "123.60.73.44",
        "124.70.133.119",
        "124.71.187.72",
        "119.97.185.59",
        "129.204.230.128",
        "101.42.240.54",
        "124.71.9.153",
        "123.60.84.66",
        "111.230.186.52"
      ],
      "webhook_bins": [],
      "discord_webhook_ids": [],
      "telegram_bots": [],
      "github_repos": []
    },
    "files": {
      "credential_paths": []
    },
    "deps": {
      "suspicious": []
    },
    "encoded": {
      "base64": []
    },
    "metadata": {
      "heuristic_flags": [
        "pypi-sdist-setup-py",
        "new-publisher:0d",
        "first-version-of-package",
        "first-version-suspicious-publisher"
      ],
      "static_flags": [
        "archive-then-upload",
        "http-to-public-ip",
        "py-socket-connect",
        "hex-decode",
        "reads-env-vars",
        "py-sys-platform-branch",
        "child-process-spawn",
        "py-pip-install-runtime"
      ],
      "self_described_as": []
    }
  },
  "stix_hints": {
    "indicator_pattern_examples": [
      "[ipv4-addr:value = '180.153.18.170']",
      "[ipv4-addr:value = '124.71.187.122']",
      "[ipv4-addr:value = '180.153.18.171']",
      "[ipv4-addr:value = '180.153.18.172']",
      "[ipv4-addr:value = '119.147.212.81']",
      "[ipv4-addr:value = '115.238.56.198']",
      "[ipv4-addr:value = '115.238.90.165']",
      "[ipv4-addr:value = '218.75.126.9']",
      "[ipv4-addr:value = '47.107.75.159']",
      "[ipv4-addr:value = '59.175.238.38']",
      "[ipv4-addr:value = '110.41.147.114']",
      "[ipv4-addr:value = '110.41.2.72']",
      "[ipv4-addr:value = '101.33.225.16']",
      "[ipv4-addr:value = '175.178.112.197']",
      "[ipv4-addr:value = '175.178.128.227']",
      "[ipv4-addr:value = '43.139.95.83']",
      "[ipv4-addr:value = '124.223.163.242']",
      "[ipv4-addr:value = '122.51.120.217']",
      "[ipv4-addr:value = '150.158.160.2']",
      "[ipv4-addr:value = '123.60.164.122']",
      "[ipv4-addr:value = '111.229.247.189']",
      "[ipv4-addr:value = '124.70.199.56']",
      "[ipv4-addr:value = '62.234.50.143']",
      "[ipv4-addr:value = '81.70.151.186']",
      "[ipv4-addr:value = '82.156.214.79']",
      "[ipv4-addr:value = '159.75.29.111']",
      "[ipv4-addr:value = '43.139.18.171']",
      "[ipv4-addr:value = '81.71.32.47']",
      "[ipv4-addr:value = '122.51.232.182']",
      "[ipv4-addr:value = '118.25.98.114']",
      "[ipv4-addr:value = '121.36.225.169']",
      "[ipv4-addr:value = '123.60.70.228']",
      "[ipv4-addr:value = '123.60.73.44']",
      "[ipv4-addr:value = '124.70.133.119']",
      "[ipv4-addr:value = '124.71.187.72']",
      "[ipv4-addr:value = '119.97.185.59']",
      "[ipv4-addr:value = '129.204.230.128']",
      "[ipv4-addr:value = '101.42.240.54']",
      "[ipv4-addr:value = '124.71.9.153']",
      "[ipv4-addr:value = '123.60.84.66']",
      "[ipv4-addr:value = '111.230.186.52']",
      "[file:hashes.'SHA-256' = 'e0ec9952f766c49a064e0dab66a2673fb2a5bfee41719f0b97d7cc5f1cfac073']"
    ],
    "note": "These are STIX 2.1 indicator pattern fragments, not a full bundle. Wrap each in {type:\"indicator\", pattern:..., pattern_type:\"stix\"} and add identity / created_by_ref objects to ingest into a TIP."
  }
}