{ "Event": { "analysis": "1", "date": "2026-04-24", "extends_uuid": "", "info": "[Threat Intel] The npm Threat Landscape: Attack Surface and Mitigations", "protected": false, "publish_timestamp": "1779545691", "published": true, "threat_level_id": "2", "timestamp": "1779545691", "uuid": "f27242ef-2ebd-4418-bdf8-ecfc2efb4acc", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#0afe32", "local": false, "name": "misp-galaxy:producer=\"Palo Alto\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#bb2745", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Standard Encoding - T1132.001\"", "relationship_type": "" }, { "colour": "#d3f567", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"JavaScript - T1059.007\"", "relationship_type": "" }, { "colour": "#7da4ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Resource Name or Location - T1036.005\"", "relationship_type": "" }, { "colour": "#56c932", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Symmetric Cryptography - T1573.001\"", "relationship_type": "" }, { "colour": "#2c1d2e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Checks - T1497.001\"", "relationship_type": "" }, { "colour": "#f5a258", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Native API - T1106\"", "relationship_type": "" }, { "colour": "#8ed4a7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Web Browsers - T1555.003\"", "relationship_type": "" }, { "colour": "#e7d11f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Private Keys - T1552.004\"", "relationship_type": "" }, { "colour": "#f95f85", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials In Files - T1552.001\"", "relationship_type": "" }, { "colour": "#12d28f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Cloud Account - T1087.004\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compromise Host Software Binary - T1554\"", "relationship_type": "" }, { "colour": "#71ecdb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Account Manipulation - T1098\"", "relationship_type": "" }, { "colour": "#f07d7c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Non-Standard Port - T1571\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#d596aa", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compromise Software Supply Chain - T1195.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration to Cloud Storage - T1567.002\"", "relationship_type": "" }, { "colour": "#30cc3b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"", "relationship_type": "" }, { "colour": "#44b2c2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Hidden Files and Directories - T1564.001\"", "relationship_type": "" }, { "colour": "#37c019", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Cloud Accounts - T1078.004\"", "relationship_type": "" }, { "colour": "#8d021b", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Dead Drop Resolver - T1102.001\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#18005e", "local": false, "name": "rectifyq:topic=\"supply-chain\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Shai-Hulud\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:online-service=\"3b16bb5a-eb4f-4603-a909-bebc5df4a46d\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777287607", "to_ids": false, "type": "link", "uuid": "6235813f-d512-47ec-befd-ca085340a9f2", "value": "https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777287607", "to_ids": false, "type": "link", "uuid": "614e2219-e974-4bba-a77a-285403c81fd7", "value": "https://unit42.paloaltonetworks.com/wp-content/uploads/2026/04/05_Malware_Category_1920x900.jpg" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1777287607", "to_ids": false, "type": "text", "uuid": "c90480e5-b4cd-4be6-af9d-e9560b88793a", "value": "The npm ecosystem experienced a critical shift in September 2025 with the Shai-Hulud worm, marking the transition from isolated attacks to systematic supply chain compromises. In April 2026, TeamPCP launched a coordinated campaign through a malicious @bitwarden/cli package targeting multiple distribution channels including Docker Hub, GitHub Actions, and VS Code extensions. The multi-stage payload employs advanced obfuscation, harvests credentials from cloud providers and developer workstations, exfiltrates data through encrypted HTTPS and GitHub repositories, and self-propagates by backdooring npm packages using stolen tokens. The malware implements GitHub's search API as a resilient command-and-control fallback mechanism and features anti-detection measures including Russian locale killswitches. This represents an evolution toward wormable propagation, infrastructure-level persistence, and dormant payloads that activate under specific conditions." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1777287607", "to_ids": false, "type": "text", "uuid": "4f2d1060-5b47-4601-ae36-aa2bc8184135", "value": "Name: The npm Threat Landscape: Attack Surface and Mitigations\nAuthor: AlienVault\nAdversary: TeamPCP\nTags: [\"obfuscation\", \"worm propagation\", \"self-replicating malware\", \"credential harvesting\", \"npm packages\", \"ci/cd compromise\", \"shai-hulud\", \"github\", \"supply chain\"]\nTgtd countries: []\nMlwr families: [\"Shai-Hulud\"]\nAttack_ids: [\"T1132.001\", \"T1059.007\", \"T1036.005\", \"T1573.001\", \"T1497.001\", \"T1106\", \"T1555.003\", \"T1552.004\", \"T1552.001\", \"T1087.004\", \"T1554\", \"T1098\", \"T1571\", \"T1027\", \"T1195.002\", \"T1567.002\", \"T1070.004\", \"T1564.001\", \"T1078.004\", \"T1102.001\"]\nIndustries: [\"Technology\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1777287607", "to_ids": false, "type": "threat-actor", "uuid": "00949253-b622-4478-a0b3-698ced8c0583", "value": "TeamPCP" }, { "category": "Network activity", "comment": "C2 domain", "deleted": false, "disable_correlation": false, "timestamp": "1777629319", "to_ids": true, "type": "hostname", "uuid": "858592bb-d701-4518-b262-e92ae138fa31", "value": "audit.checkmarx.cx", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Attacker-controlled domain", "deleted": false, "disable_correlation": false, "timestamp": "1777629341", "to_ids": true, "type": "domain", "uuid": "5ff2530e-4b0a-41be-b18c-9abe3275f2ca", "value": "checkmarx.cx", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Dead drop commit SHA1 hash No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545689", "to_ids": true, "type": "sha1", "uuid": "99c60573-716d-449b-a74e-f12525f30a14", "value": "bc544f455d7c06c8a1f3446160a6d9a4a8236b11", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Malicious manifest No sample in VT\r\nLast check:01/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779545691", "to_ids": true, "type": "sha256", "uuid": "c047e769-5ece-4643-b408-1b36ed4da10a", "value": "167ce57ef59a32a6a0ef4137785828077879092d7f83ddbc1755d6e69116e0ad", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777629362", "to_ids": true, "type": "url", "uuid": "4c96ff35-a2c3-49f4-b2a3-60a7c64be585", "value": "http://audit.checkmarx.cx:443", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2 IP address", "deleted": false, "disable_correlation": false, "timestamp": "1777629383", "to_ids": true, "type": "ip-dst", "uuid": "b7385621-6cd8-4d50-945f-453dbe328a31", "value": "94.154.172.43", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "Attacker IP address", "deleted": false, "disable_correlation": false, "timestamp": "1777629404", "to_ids": true, "type": "ip-dst", "uuid": "b80a1373-a1ef-43c3-9085-a5dffbce270f", "value": "91.195.240.123", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545684", "uuid": "9e044ff2-2057-4326-a080-de3c87d9f721", "Attribute": [ { "category": "Payload delivery", "comment": "Obfuscated payload", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545684", "to_ids": true, "type": "md5", "uuid": "21ad4319-9d23-4087-b02e-6245ad484a23", "value": "fb6b61447ee9f1b86067bd64b1e002b4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Obfuscated payload", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545684", "to_ids": true, "type": "sha1", "uuid": "3358baef-4216-483d-a2b2-83876712b225", "value": "5b5d76ae552dc13010b15f41955b6534b16bba12", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Obfuscated payload", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545684", "to_ids": true, "type": "sha256", "uuid": "7ed764dc-1cb5-48f1-940e-876712e47ddb", "value": "18f784b3bc9a0bcdcb1a8d7f51bc5f54323fc40cbd874119354ab609bef6e4cb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777627309", "to_ids": true, "type": "ssdeep", "uuid": "cc102b50-162c-4d85-bcfd-9df636c2a861", "value": "24576:lNadmJ5jJSpDX6MgJIZkbCzToAX2zLFPAaPvfv1DpqMT6FoGbLH6It8YEUiaxn0v:lSYGT6MLoQYxE/XNj+" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777627309", "to_ids": false, "type": "size-in-bytes", "uuid": "5a84a022-44e4-436d-ac07-6c01c17c449b", "value": "10154904" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777627309", "to_ids": true, "type": "vhash", "uuid": "63708259-d84a-4b16-878c-cf1b1a5d8f5a", "value": "8396561c380ad99c2b54fea90065fb43" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777627309", "to_ids": true, "type": "filename", "uuid": "d28a3b58-5ad2-4f96-a71a-cb8c2ebd3c7f", "value": "bw1.js" }, { "category": "Other", "comment": "Checked: 01/05/2026\nLast-scan\t: 01/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777627309", "to_ids": false, "type": "text", "uuid": "d844be96-24a1-4282-bcb6-c40b17752b0d", "value": "Obfuscated payload\r\nType Description: JavaScript\nMicrosoft: Trojan:JS/SPChainStealer.BB\nVT Total Detection:11/64\nFirst Submission:2026-04-23T12:55:37.000000+00:00\nLast Submission:2026-04-24T09:03:11.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545687", "uuid": "b564bdcd-323d-411a-b7de-24ea752a7d4a", "Attribute": [ { "category": "Payload delivery", "comment": "Bootstrap script", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545686", "to_ids": true, "type": "md5", "uuid": "af2847cf-e13b-4021-9de7-3afedc89ee0a", "value": "1d3ca808f4c7ccf703aca2790d169bd8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Bootstrap script", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545686", "to_ids": true, "type": "sha1", "uuid": "be885b94-670a-43b9-9bab-612dc079dc06", "value": "97707b90ba6c67ba66c03877c1ba7f7d563287c0", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Bootstrap script", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545687", "to_ids": true, "type": "sha256", "uuid": "49157504-f3eb-4e7a-bfca-8993b8750435", "value": "f35475829991b303c5efc2ee0f343dd38f8614e8b5e69db683923135f85cf60d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777627330", "to_ids": true, "type": "ssdeep", "uuid": "ccf01998-5a28-476f-9f3c-19b51ba3a85b", "value": "96:/X0oFPvcyQls5cqA2AXWYtomG7cxdTtA4PyAff:AyQ+7x2Wedpvaa" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777627330", "to_ids": false, "type": "size-in-bytes", "uuid": "43a74acd-c919-4274-a74a-010cc57ace54", "value": "4293" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777627330", "to_ids": true, "type": "filename", "uuid": "df39afce-66f7-41b0-94a3-50bd98eb098b", "value": "bw_setup.js" }, { "category": "Other", "comment": "Checked: 01/05/2026\nLast-scan\t: 30/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777627330", "to_ids": false, "type": "text", "uuid": "fc96a4a8-2ce8-4056-9646-9ddd9365fada", "value": "Bootstrap script\r\nType Description: JavaScript\nMicrosoft: Trojan:JS/ShaiWorm.DN!MTB\nVT Total Detection:25/62\nFirst Submission:2026-04-23T15:18:17.000000+00:00\nLast Submission:2026-04-23T15:18:17.000000+00:00" } ] } ] } }