{ "schema": "cremit-ioc/v1", "generated_at": "2026-05-20T07:04:05.261Z", "package": { "ecosystem": "pypi", "name": "pipeline-check", "version": "1.1.0", "publisher": "Daniel Martin", "sha256": "ce56595a264b9a446ae43f28231b0a59f6c3d6c600eedef27f0c92492dba4037", "tarball_url": "https://files.pythonhosted.org/packages/2a/86/92fba95a66e6db7e1ce0f196d26f35e25f848e6f5c6e7810bcfd72dd9551/pipeline_check-1.1.0.tar.gz", "weekly_downloads": 431, "description": "CI/CD Security Posture Scanner — scores AWS, Terraform, CloudFormation, GitHub Actions, GitLab CI, Azure DevOps, Bitbucket Pipelines, Jenkins, CircleCI, Google Cloud Build, Buildkite, Drone CI, Tekton, Argo Workflows, Dockerfile, Kubernetes manifests, Helm charts, OCI image manifests, SCM repo posture (GitHub / GitLab / Bitbucket), npm and pypi dependency files against OWASP Top 10 CI/CD Risks and 14 other compliance frameworks", "repository_url": "https://github.com/dmartinochoa/pipeline-check", "first_published_at": "2026-04-20T12:42:25.233Z" }, "classification": { "label": "malicious", "confidence": 0.96, "summary": "Worm self-propagation: package reads .npmrc _authToken AND invokes npm publish in install-path code. Shai-Hulud-class shape — no legitimate package re-publishes OTHER packages from the user's machine.", "provider": "fast-track", "heuristic_score": 35, "disposition": "auto-published" }, "references": { "npm_url": null, "pypi_url": "https://pypi.org/project/pipeline-check/1.1.0/", "osv_id": null, "osv_url": null, "package_page": "https://incidents.cremit.io/packages/pypi/pipeline-check" }, "techniques": [ { "id": "T1033", "name": "System Owner/User Discovery", "tactic": "Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "tactic": "Execution" }, { "id": "T1059.004", "name": "Command and Scripting Interpreter: Unix Shell", "tactic": "Execution" }, { "id": "T1059.006", "name": "Command and Scripting Interpreter: Python", "tactic": "Execution" }, { "id": "T1059.007", "name": "Command and Scripting Interpreter: JavaScript", "tactic": "Execution" }, { "id": "T1071.001", "name": "Application Layer Protocol: Web Protocols", "tactic": "Command and Control" }, { "id": "T1082", "name": "System Information Discovery", "tactic": "Discovery" }, { "id": "T1115", "name": "Clipboard Data", "tactic": "Collection" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "tactic": "Defense Evasion" }, { "id": "T1195.002", "name": "Supply Chain Compromise: Compromise Software Supply Chain", "tactic": "Initial Access" }, { "id": "T1552.001", "name": "Unsecured Credentials: Credentials in Files", "tactic": "Credential Access" }, { "id": "T1552.003", "name": "Unsecured Credentials: Bash History", "tactic": "Credential Access" }, { "id": "T1567.002", "name": "Exfiltration Over Web Service", "tactic": "Exfiltration" } ], "indicators": { "network": { "urls": [], "ipv4": [], "webhook_bins": [], "discord_webhook_ids": [], "telegram_bots": [], "github_repos": [] }, "files": { "credential_paths": [] }, "deps": { "suspicious": [] }, "encoded": { "base64": [] }, "metadata": { "heuristic_flags": [ "pypi-sdist-setup-py", "new-publisher:0d", "mature-package" ], "static_flags": [ "py-pip-install-runtime", "reads-github-tokens", "reads-gitlab-tokens", "reads-ai-api-keys", "reads-env-vars", "reads-homedir", "child-process-spawn", "py-sys-platform-branch", "py-urllib-request", "public-github-push", "clipboard-access", "reads-npmrc", "curl-pipe-bash-unverified", "bun-runtime-bootstrap", "reads-shell-history", "webhook-bin", "discord-webhook", "eval-dynamic", "base64-decode", "reverse-shell", "wget-pipe-bash-unverified", "install-path-npm-publish" ], "self_described_as": [] } }, "stix_hints": { "indicator_pattern_examples": [ "[file:hashes.'SHA-256' = 'ce56595a264b9a446ae43f28231b0a59f6c3d6c600eedef27f0c92492dba4037']" ], "note": "These are STIX 2.1 indicator pattern fragments, not a full bundle. Wrap each in {type:\"indicator\", pattern:..., pattern_type:\"stix\"} and add identity / created_by_ref objects to ingest into a TIP." } }