Cremit
/incidentsfield log
CatchesCampaignsExfilPatternsLLMIncidentsMethodology
↺rss↗cremit.io

incidents.cremit.io

A reference feed of real-world Non-Human Identity (NHI) credential leak incidents. Maintained by Cremit.

Browse

  • All incidents
  • npm supply chain
  • CI/CD compromise
  • Methodology

Subscribe

  • RSS feed
  • @cremit_io
  • GitHub
// status
monitor active
// build
2026-05-20
// origin
cremit · seoul, kr
// license
CC BY 4.0

© 2026 Cremit. content reuse encouraged with attribution.

exfil destinations

Where caught packages send data

Every external endpoint extracted from caught packages — webhook URLs, Discord webhooks, Telegram bot tokens, raw public IPs. Ranked by how many distinct packages referenced each destination. Use as a drop-in IOC list for IR, EDR, WAF, and TIP feeds.

destination
6
packages
7
campaigns
2

// Webhook bins

Generic webhook-bin services (webhook.site, requestcatcher, pipedream, etc.). Free to set up, low takedown risk, dominant exfil pattern.

5 distinct

  • wvmjioytxqdcokzvflqjv6v35ug1nfyjl.oast.fun3 packagesshared
    npm/collected-forms-embed-jsnpm/did-0091npm/stripe-internal-utils
  • lszakfghwnvxspyfcmaabd1css99rnq3w.oast.fun3 packagesshared
    npm/stripe-internal-utilsnpm/did-0091npm/collected-forms-embed-js
  • https://webhook.site/f684d33e-9a2b-4c7d-8e1f-3a5b2c4d6e7f2 packagesshared
    npm/defi-threat-scannernpm/web3-secrets-detector
  • https://webhook.site/f684d33e-7d78-49cb-8798-49952a0a30361 package
    npm/env-security-scanner
  • tjalcgvzuaojvayjfdfh1rtb4ojaobofs.oast.fun1 package
    npm/did-0091

// Public IPs

Hardcoded public IPv4 destinations. Often a researcher box or a compromised host — the operator's most attributable surface.

1 distinct

  • 104.248.94.231 package
    npm/react-dom-helper