{"campaign":{"name":"tanvisoul9 npm Backdoors","slug":"tanvisoul9-npm-backdoors","href":"/ti/campaigns/tanvisoul9-npm-backdoors","description":"npm packages published by a single operator that plant SSH backdoors and full remote access trojans on developer machines. All variants exfiltrate stolen data to the tanvisoul9@gmail.com mailbox, tying the packages to one actor.","objective":"Gain persistent remote access to developer machines and steal credentials.","aliases":[],"discovered_at":"2026-04-14"},"packages":[{"ecosystem":"npm","name":"dom-utils-lite","href":"/ti/packages/npm/dom-utils-lite","threat_types":["persistence","data_exfiltration","c2_agent"],"versions":["1.0.0"]},{"ecosystem":"npm","name":"centralogger","href":"/ti/packages/npm/centralogger","threat_types":["persistence","data_exfiltration","c2_agent"],"versions":["1.0.5","1.0.6","1.0.7","1.0.8","1.0.9"]},{"ecosystem":"npm","name":"node-env-resolve","href":"/ti/packages/npm/node-env-resolve","threat_types":["credential_stealer","data_exfiltration","rat","persistence"],"versions":["1.0.3"]}],"indicators":[{"kind":"domain","value":"xienztiavkygvacpqzgr.supabase.co","href":"/ti/ioc/domain/xienztiavkygvacpqzgr.supabase.co","context":"Network indicator from blog post"},{"kind":"domain","value":"ndfcioahsbgsjmulpjgt.supabase.co","href":"/ti/ioc/domain/ndfcioahsbgsjmulpjgt.supabase.co","context":"Network indicator from blog post"},{"kind":"sha256","value":"4600db4fc30fb6ffa68deed4a25679e674bb3a3e8dae31f3dfc83bea0d757a8f","href":"/ti/ioc/sha256/4600db4fc30fb6ffa68deed4a25679e674bb3a3e8dae31f3dfc83bea0d757a8f","context":"SHA-256 hash from blog post"},{"kind":"sha256","value":"2e131f47090516e5a60553aa40d46823e08162390c1d6deb075cf317f00309f7","href":"/ti/ioc/sha256/2e131f47090516e5a60553aa40d46823e08162390c1d6deb075cf317f00309f7","context":"SHA-256 hash from blog post"},{"kind":"email","value":"tanvisoul9@gmail.com","href":"/ti/ioc/email/tanvisoul9@gmail.com","context":"Email indicator from blog post"},{"kind":"domain","value":"152.67.0.53","href":"/ti/ioc/domain/152.67.0.53","context":"Network indicator from blog post"},{"kind":"ipv4","value":"152.67.0.53","href":"/ti/ioc/ipv4/152.67.0.53","context":"IP address indicator from blog post"},{"kind":"ipv4","value":"216.126.237.71","href":"/ti/ioc/ipv4/216.126.237.71","context":"IP address indicator from blog post"}],"ttps":[{"name":"Supply Chain Compromise: Compromise Software Dependencies and Development Tools","mitre_attack_id":"T1195.001","href":"/ti/ttps/T1195.001"},{"name":"Command and Scripting Interpreter: JavaScript","mitre_attack_id":"T1059.007","href":"/ti/ttps/T1059.007"},{"name":"Exfiltration Over C2 Channel","mitre_attack_id":"T1041","href":"/ti/ttps/T1041"},{"name":"Unsecured Credentials: Private Keys","mitre_attack_id":"T1552.004","href":"/ti/ttps/T1552.004"},{"name":"Ingress Tool Transfer","mitre_attack_id":"T1105","href":"/ti/ttps/T1105"},{"name":"Application Layer Protocol: Web Protocols","mitre_attack_id":"T1071.001","href":"/ti/ttps/T1071.001"},{"name":"Web Service","mitre_attack_id":"T1102","href":"/ti/ttps/T1102"},{"name":"Event Triggered Execution","mitre_attack_id":"T1546","href":"/ti/ttps/T1546"},{"name":"Unsecured Credentials: Credentials In Files","mitre_attack_id":"T1552.001","href":"/ti/ttps/T1552.001"},{"name":"Steal Web Session Cookie","mitre_attack_id":"T1539","href":"/ti/ttps/T1539"}],"related_campaigns":[],"reports":[{"title":"Malicious dom-utils-lite npm SSH Backdoor via Supabase","url":"https://safedep.io/malicious-dom-utils-lite-npm-ssh-backdoor","published_at":"2026-04-14"},{"title":"node-env-resolve: npm Package Installs a Full RAT","url":"https://safedep.io/malicious-npm-node-env-resolve-rat","published_at":"2026-05-03"}]}