domain-admin@1.6.78
a domain ssl cert admin
→ Encoded payload + dynamic execution combo (event-stream / flatmap-stream shape) — embedded blob decoded and executed at install time. Fast-tracked.
// Data staging
pattern: dest-via-hostname-var
Packages whose static analysis matched this pattern. See the per-package detail pages for the offending code excerpt.
25 packages flagged with this pattern (74 total publish events, collapsed by publisher+name). Newest first.
a domain ssl cert admin
→ Encoded payload + dynamic execution combo (event-stream / flatmap-stream shape) — embedded blob decoded and executed at install time. Fast-tracked.
Security helper for Zudoku
→ Credential read (reads-aws-creds, reads-npmrc, reads-github-tokens) paired with dest-via-hostname-var destination — classic exfiltration signature.
Coding agent CLI with persistent memory, sub-agents, intelligent routing, and orchestration
→ Credential read (reads-ai-api-keys, reads-gitlab-tokens) paired with dest-via-hostname-var destination — classic exfiltration signature.
F5 Distributed Cloud branded Starlight documentation theme
→ Credential read (reads-ai-api-keys) paired with dest-via-hostname-var destination — classic exfiltration signature.
Local-first, BYOK multi-host ops + SEO control plane — scan, diagnose and fix across 12 hosts from your own machine.
→ Credential read (reads-github-tokens, reads-gitlab-tokens, reads-gcp-creds, reads-aws-creds, reads-ai-api-keys) paired with dest-via-hostname-var destination — classic exfiltration signature.
P2P AI Document Agent - 全局安装后执行 `bolloon` 启动产品
→ Credential read (reads-ai-api-keys, reads-seed-phrase) paired with http-to-public-ip, dest-via-hostname-var destination — classic exfiltration signature.
Claws — Terminal Control Bridge for VS Code. One command to install.
→ Worm self-propagation: package reads .npmrc _authToken AND invokes npm publish in install-path code. Shai-Hulud-class shape — no legitimate package re-publishes OTHER packages from the user's machine.
Totem LLM – Your Private AI. Run a self-hosted AI assistant locally on Linux, macOS, or Windows.
→ Credential read (reads-npmrc, reads-ai-api-keys) paired with dest-via-hostname-var destination — classic exfiltration signature.
APX — unified CLI + daemon for the Agent Project Context (APC) standard.
→ Credential read (reads-ai-api-keys) paired with dest-via-hostname-var destination — classic exfiltration signature.
CLI и AI-агент городского округа Йошкар-Ола.
→ Credential read (reads-ai-api-keys) paired with dest-via-hostname-var destination — classic exfiltration signature.
The `@trackunit/iris-app` package is a plugin for [NX by @nrwl](https://nx.dev/). This plugin adds some helpful generators used to set up a Trackunit Iris App project.
→ Worm self-propagation: package reads .npmrc _authToken AND invokes npm publish in install-path code. Shai-Hulud-class shape — no legitimate package re-publishes OTHER packages from the user's machine.
QAECY UI Web Components
→ Encoded payload + dynamic execution combo (event-stream / flatmap-stream shape) — embedded blob decoded and executed at install time. Fast-tracked.
Multi-provider LLM client with rate limiting, token tracking, structured outputs, and continuation handling
→ Credential read (reads-ai-api-keys) paired with dest-via-hostname-var destination — classic exfiltration signature.
VulnSweep CLI - npm vulnerability scanner
→ Credential read (reads-github-tokens) paired with dest-via-hostname-var destination — classic exfiltration signature.
Hijack by Yusif Kerimov
→ Sends to suspicious destination(s): ulehcosybxwttseibbych07wphlyoxhfr.oast.fun.
Unofficial Facebook Chat API for Node.js - by N1SA9
→ No suspicious destination, no remote-exec shape — 1 known-vendor host(s).
Facebook Chat API - Modified by EryXenX | Stable, Auto Re-login, Fixed setMessageReaction
→ No suspicious destination, no remote-exec shape — 2 other host(s).
audit-logs
→ Sends to suspicious destination(s): yihpvsviuggxabauqtuedjfyzjlrtkpzx.oast.fun.
→ Sends to suspicious destination(s): webhook.site.
Alex Birsan Style
→ Sends to suspicious destination(s): lszakfghwnvxspyfcmaabd1css99rnq3w.oast.fun.
Full RCE PoC - Alex Birsan Style
→ Sends to suspicious destination(s): lszakfghwnvxspyfcmaabd1css99rnq3w.oast.fun.
Style
→ Sends to suspicious destination(s): lszakfghwnvxspyfcmaabd1css99rnq3w.oast.fun.
Full RCE PoC - Alex Birsan Style
→ Sends to suspicious destination(s): lszakfghwnvxspyfcmaabd1css99rnq3w.oast.fun.
xxx
→ Sends to suspicious destination(s): lszakfghwnvxspyfcmaabd1css99rnq3w.oast.fun.
Full RCE PoC -osama
→ Sends to suspicious destination(s): lszakfghwnvxspyfcmaabd1css99rnq3w.oast.fun.