npm

martinez-polygon-clipping-tony

martinez-polygon-clipping-tony is identified in the SafeDep analysis "martinez-polygon-clipping-tony: Trojanized npm Fork Drops Telegram RAT". martinez-polygon-clipping-tony is a trojanized fork of the legitimate martinez-polygon-clipping npm package. The postinstall hook downloads a PyInstaller-packed Telegram bot from 172.86.73.132 that provides full remote shell, screenshot capture, file upload/download, and self-destruct capabilities on Windows targets.

discovered 2026-05-07

Threat types

ratpersistence

Malicious versions

1.0.0

Campaigns

No Specific Campaignattributed-to

Indicators

domain172.86.73.132communicates-with
ipv4172.86.73.132communicates-with
sha25686d17961e9662c53e1fb61701388b7c741bf79c093061df968a3e53c829dcb16indicates
email[email protected]exfiltrates-to
email[email protected]exfiltrates-to

Techniques

ttpT1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
ttpT1059.007 Command and Scripting Interpreter: JavaScriptuses
ttpT1105 Ingress Tool Transferuses
ttpT1071.001 Application Layer Protocol: Web Protocolsuses
ttpT1102 Web Serviceuses
ttpT1546 Event Triggered Executionuses

Read the full analysis →