# Copyright (c) 2014-2026 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: shai-hulud, phantomraven

# Reference: https://www.reversinglabs.com/blog/operation-brainleeches-malicious-npm-packages-fuel-supply-chain-and-phishing-attacks

http://137.184.153.238
137.184.153.238:443
brainleeches.xyz
ourwhite.brainleeches.xyz

# Reference: https://blog.sonatype.com/npm-packages-caught-exfiltrating-kubernetes-config-ssh-keys
# Reference: https://blog.phylum.io/sensitive-data-exfiltration-campaign-targets-npm-and-pypi/

threatest.com
app.threatest.com
down.threatest.com
cjq18vv2vtc0000pszdggkb7ssayyyyyd.oast.fun

# Reference: https://blog.phylum.io/persistent-npm-campaign-shipping-trojanized-jquery/

addpack.newrxl.online
ajax.failexpect.biz.id
anti-spam.truex.biz.id
api-bo.my.id
api-system.engineer
api-web-vrip.hanznesia.my.id
api.codatuys.biz.id
api.iimg.my.id
api.jstyy.xyz
api.newrxl.online
apii-pandawara.ganznesia.my.id
apii.codatuys.cab
apii.fukaes.ninja
apiiiwebterbaru2024.duckdns.org
apiweb.eventtss.my.id
codatuys.cab
cssimage.dimashost.xyz
dana-dompet-digital.qxue.biz.id
danu.eventtss.my.id
denii.biz.id
dimashost.xyz
ditzzultimate.xyz
dmdpanel.my.id
eventtss.my.id
failexpect.biz.id
fukaes.ninja
ganznesia.my.id
icikipoxx.pw
iimg.my.id
irisainginbos.icikipoxx.pw
jqbzu-18.cfd
jstyy.xyz
klikmelanjutkan-klik.sahdk.my.id
lngss.my.id
lnpss.my.id
log.api-system.engineer
log.systems-alexhost.xyz
nd.api-system.engineer
newrxl.online
newww.my.id
ns.api-system.engineer
panel-host.clannesia.com
panel-host.dmdpanel.my.id
panel.api-bo.my.id
paneljs.dimashost.xyz
paneljs.hanznesia.my.id
patipride.icikipoxx.pw
pokemon.denii.biz.id
project.systemgoods.me
pukil.dannew.biz.id
qxue.biz.id
sahdk.my.id
saystem.ditzzultimate.xyz
system-alexhosting.biz.id
systemgoods.me
systemport.duckdns.org
systems-alexhost.xyz
terbarucuy.terbaruxx.my.id
terbaruxx.biz.id
terbaruxx.cafegt.my.id
terbaruxx.hydickyy.my.id
terbaruxx.iwvx77.cfd
terbaruxx.jqbzu-18.cfd
terbaruxx.lngss.my.id
terbaruxx.lnpss.my.id
terbaruxx.my.id
terbaruxx.newww.my.id
terbaruxx.newxxx.online
terbaruxx.x-vip.my.id
truex.biz.id

# Reference: https://www.reversinglabs.com/blog/malicious-npm-patch-delivers-reverse-shell

5.199.166.1:31337

# Reference: https://www.sonatype.com/blog/multiple-crypto-packages-hijacked-turned-into-info-stealers

eoi2ectd5a5tn1h.m.pipedream.net

# Reference: https://x.com/BleepinComputer/status/1914723629192847406
# Reference: https://x.com/ValidinLLC/status/1914759729722622340
# Reference: https://app.validin.com/detail?find=297eeccac7d5e089db1af9bd2862fe9c3d81a742&type=hash&ref_id=77c4dbed5fc#tab=host_pairs

0x9c.xyz
npmjr.com

# Reference: https://socket.dev/blog/malicious-npm-packages-hijack-cursor-editor-on-macos

aiide.xyz
api.aiide.xyz
cursor.sw2031.com
t.sw2031.com

# Reference: https://www.aikido.dev/blog/catching-a-rat-remote-access-trojian-rand-user-agent-supply-chain-compromise
# Reference: https://app.validin.com/detail?find=f501e29ccf5831a92111&type=hash&ref_id=44e8bf21260#tab=host_pairs (# 2025-05-24)
# Reference: https://www.virustotal.com/gui/file/236ff897dee7d21319482cd67815bd22391523e37e0452fa230813b30884a86f/detection

23.27.20.143:27017
85.239.62.36:27017
85.239.62.36:3306

# Reference: https://x.com/malwrhunterteam/status/2015776569986310310
# Reference: https://www.aikido.dev/blog/supply-chain-attack-on-react-native-aria-ecosystem

136.0.9.8:27017
136.0.9.8:3306
136.0.9.8:443

# Reference: https://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages

webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7

# Reference: https://socket.dev/blog/malicious-fezbox-npm-package-steals-browser-passwords-from-cookies-via-innovative-qr-code
# Reference: https://intel.breakglass.tech/post/fezbox-npm-supply-chain-qr-steganography-operator-self-doxx-nanjing

http://1.94.210.59
http://183.210.123.88
1.94.210.59:8080
183.210.123.88:443
my-nest-app-production.up.railway.app
res.cloudinary.com/dhuenbqsq/image/upload/v1755767716/b52c81c176720f07f702218b1bdc7eff_h7f6pn.jpg

# Reference: https://socket.dev/blog/10-npm-typosquatted-packages-deploy-credential-harvester
# Reference: https://www.virustotal.com/gui/file/80552ce00e5d271da870e96207541a4f82a782e7b7f4690baeca5d411ed71edb/detection

http://195.133.79.43
195.133.79.43:8080

# Reference: https://unit42.paloaltonetworks.com/npm-supply-chain-attack/ (# shai-hulud)

webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7

# Reference: https://x.com/marius_benthin/status/2020806955804098628

ext-checkdin.vercel.app

# Reference: https://socket.dev/blog/malicious-dydx-packages-published-to-npm-and-pypi

priceoracle.site
dydx.priceoracle.site

# Reference: https://x.com/marius_benthin/status/2023699199821304045

storeartifacts.com
package.storeartifacts.com

# Reference: https://www.koi.ai/blog/phantomraven-npm-malware-hidden-in-invisible-dependencies

storeartifact.com
packages.storeartifact.com

# Reference: https://x.com/marius_benthin/status/2011354562494345218

jpartifacts.com
npm.jpartifacts.com

# Reference: https://www.esentire.com/blog/north-korean-apt-malware-analysis-dev-popper-rat-and-omnistealer-everyday-im-shufflin

177.243.216.132:27017

# Reference: https://youtu.be/NCl8kSbac-Y?t=2240

185.183.106.85:43662

# Reference: https://youtu.be/NCl8kSbac-Y?t=2506
# Reference: https://www.virustotal.com/gui/ip-address/144.126.214.174/relations

tradeeno.com
admin.tradeeno.com
api.tradeeno.com
gfrja.mongodb.net
cluster0.gfrja.mongodb.net

# Reference: https://youtu.be/NCl8kSbac-Y?t=2521
# BANNER_0_HASH-HOST=477f1899900e9977482e981e7522c98c
# ETAG-HOST=W/"69744288-264"

asdf11.xyz
lll.taxi
mashhad.app
myaunet.su

# Reference: https://x.com/ramimacisabird/status/2038813850179449156
# Reference: https://app.garnet.ai/public/detections/6c823543-6d82-5677-8048-40b38527250a
# Reference: https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan
# Reference: https://www.virustotal.com/gui/ip-address/142.11.206.73/relations
# Reference: https://www.virustotal.com/gui/file/e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09/detection
# Reference: https://www.virustotal.com/gui/file/f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd/detection
# ETAG-IP=W/"16-zUIWjx30dNMOrJoqA1R8JWYnVAw"

142.11.196.106:8000
142.11.196.106:8080
142.11.206.73:8000
23.254.167.216:8000
23.254.203.244:8000
callnrwise.com
sfrclak.com
hwsrv-1320779.hostwindsdns.com

# Reference: https://threatbook.io/blog/lazarus-group-poisons-axios-inside-the-npm-supply-chain-attack

142.11.196.73:8080
142.11.199.73:8080

# Reference: https://opensourcemalware.com/npm/chai-extensions-extras

server-check-genimi.vercel.app

# Reference: https://opensourcemalware.com/npm/chai-as-chain-v2

jsonkeeper.com/b/FAWPU

# Reference: https://x.com/npm_malware/status/2039447751214395503

jsonkeeper.com/b/YY8VI

# Reference: https://x.com/abh1sek/status/2041160413778460947

jsonkeeper.com/b/XB9WY

# Reference: https://safedep.io/malicious-npm-strapi-plugin-events-c2-agent/

144.31.107.231:8181
144.31.107.231:8888
144.31.107.231:9999

# Reference: https://x.com/marius_benthin/status/2041951353233145912

213.186.33.5:14444
83.168.95.79:14444
grimgg.pl

# Reference: https://socket.dev/blog/namastex-npm-packages-compromised-canisterworm

api-monitor.com
telemetry.api-monitor.com
cjn37-uyaaa-aaaac-qgnva-cai.raw.icp0.io

# Reference: https://x.com/npm_malware/status/2046952330084687973
# Reference: https://socket.dev/npm/package/@zohodesk/react-cli/files/1.1.18/lib/utils/dependencyPostPublish.js

tsi-desk-mock.tsi.zohocorpin.com

# Reference: https://x.com/npm_malware/status/2047405340254421279
# Reference: https://socket.dev/npm/package/snapchat-followers-free-membership761/files/1.0.2/package%20gene.py
# wordpres_user = khalidirrajy@gmail.com

fundacionsuma.org/wp-admin/post.php
hiromi-haneda.com/wp-admin/post.php
journaldogs.com/wp-admin/post.php

# Reference: https://x.com/npm_malware/status/2047770322938835364
# Reference: https://socket.dev/npm/package/ikyy/files/4.0.6/lib/buathtml.js

sl.rzkyfdlh.tech

# Reference: https://x.com/npm_malware/status/2048145137986138186
# Reference: https://socket.dev/npm/package/apple-psh/files/4.0.3/index.js

54.173.15.59:8080

# Reference: https://x.com/npm_malware/status/2048311208928026761
# Reference: https://socket.dev/npm/package/@gbrlxvii/ts-env-validator/files/1.0.5/postinstall.js

aaronstack.com

# Reference: https://socket.dev/blog/tanstack-brandsquat-compromise

api.svix.com/ingest/api/v1/source/src_3387PLMB2uhXOBe3Q8sHu/in/3j2jokvbaF4WWdngv8zBbk

# Reference: https://socket.dev/blog/mini-shai-hulud-packagist-malicious-intercom-php-package-compromise

domainzero.masscan.cloud
zero.masscan.cloud
