exfil destinations

Where caught packages send data

Every external endpoint extracted from caught packages — webhook URLs, Discord webhooks, Telegram bot tokens, raw public IPs. Ranked by how many distinct packages referenced each destination. Use as a drop-in IOC list for IR, EDR, WAF, and TIP feeds.

destination

packages

campaigns

// Webhook bins

Generic webhook-bin services (webhook.site, requestcatcher, pipedream, etc.). Free to set up, low takedown risk, dominant exfil pattern.

3 distinct

wvmjioytxqdcokzvflqjv6v35ug1nfyjl.oast.fun3 packagesshared
npm/collected-forms-embed-js npm/did-0091 npm/stripe-internal-utils
https://webhook.site/f684d33e-7d78-49cb-8798-49952a0a30361 package
npm/env-security-scanner
tjalcgvzuaojvayjfdfh1rtb4ojaobofs.oast.fun1 package
npm/did-0091

// Public IPs

Hardcoded public IPv4 destinations. Often a researcher box or a compromised host — the operator's most attributable surface.

1 distinct

104.248.94.231 package
npm/react-dom-helper