cr-static-shared-components
cr-static-shared-components is identified in the SafeDep analysis "sl4x0 Dependency Confusion: 92 Packages Target Fortune 500". A sustained dependency confusion campaign by the sl4x0 actor likely targets 20+ organizations including Adobe, Ford, Sony, and Coca-Cola with 92+ malicious npm packages exfiltrating developer data via DNS.
discovered 2026-03-24
Threat types
credential_stealerdata_exfiltrationratpersistencedependency_confusion
Malicious versions
- 999.999.999
Campaigns
Techniques
- ttpT1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
- ttpT1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttpT1036 Masquerading: package impersonation and typosquattinguses
- ttpT1552.001 Unsecured Credentials: Credentials In Filesuses
- ttpT1041 Exfiltration Over C2 Channeluses
- ttpT1105 Ingress Tool Transferuses
- ttpT1071.001 Application Layer Protocol: Web Protocolsuses
- ttpT1546 Event Triggered Executionuses
