npm

noon-contracts

noon-contracts is identified in the SafeDep analysis "noon-contracts npm Package: DeFi Supply Chain RAT". noon-contracts poses as a Noon Protocol SDK on npm. On install it exfiltrates SSH keys, crypto wallet private keys, AWS credentials (including live STS/S3/SecretsManager calls), Kubernetes secrets, .env files, shell history, and browser wallet paths to C2 at 82.221.101.203:8443. A full eval-based remote shell polls every 45 seconds. Triple persistence via crontab, macOS LaunchAgent, Linux systemd, and shell RC injection.

discovered 2026-05-10

Threat types

credential_stealerdata_exfiltrationratpersistencec2_agentcrypto_drainer

Malicious versions

1.0.0

Campaigns

No Specific Campaignattributed-to

Indicators

domain82.221.101.203communicates-with
ipv482.221.101.203communicates-with
sha256263df2348f54f1f4980542a41f69d77b085fb28091a95979ba7f0e9f3d0da861indicates
email[email protected]exfiltrates-to

Techniques

ttpT1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
ttpT1059.007 Command and Scripting Interpreter: JavaScriptuses
ttpT1552.001 Unsecured Credentials: Credentials In Filesuses
ttpT1041 Exfiltration Over C2 Channeluses
ttpT1552.004 Unsecured Credentials: Private Keysuses
ttpT1528 Steal Application Access Tokenuses
ttpT1105 Ingress Tool Transferuses
ttpT1071.001 Application Layer Protocol: Web Protocolsuses
ttpT1546 Event Triggered Executionuses

Read the full analysis →