// publisher campaign · npm
All caught packages published by the dewifewi account on npm, plus the author + maintainer info the registry currently exposes. Use this view to pivot: shared emails / names across packages are strong evidence of a single attacker behind multiple throwaway handles.
Account-level signals. Activity span tells you how long this handle has been around (fresh = throwaway-prone). Email domains separate single-use webmail from real org addresses. Cross-ecosystem handles + GitHub links are the strongest attribution pivot — same name on multiple registries usually means same operator.
Not available on this ecosystem (registry search unsupported).
Webhook URLs and public IPs referenced by more than one package in this campaign — the smoking-gun signal for shared backend infrastructure.
Static-analysis flags that fired across the campaign, with how many packages each touched. Use as the "what kind of stealer is this" answer.
Alex Birsan Style
→ Sends to suspicious destination(s): lszakfghwnvxspyfcmaabd1css99rnq3w.oast.fun.
Full RCE PoC - Alex Birsan Style
→ Sends to suspicious destination(s): lszakfghwnvxspyfcmaabd1css99rnq3w.oast.fun.
Style
→ Sends to suspicious destination(s): lszakfghwnvxspyfcmaabd1css99rnq3w.oast.fun.
xxx
→ Sends to suspicious destination(s): lszakfghwnvxspyfcmaabd1css99rnq3w.oast.fun.
Full RCE PoC -osama
→ Sends to suspicious destination(s): lszakfghwnvxspyfcmaabd1css99rnq3w.oast.fun.
