Tactics, Techniques & Procedures

Malicious code distributed through package registry artifacts.

Windows persistence via Registry Run key and Task Scheduler.

macOS persistence via LaunchAgent plist.

Linux persistence via systemd user service.

System-wide keylogger captures all keystrokes.

Clipboard monitoring for credential and data theft.

Screenshots captured and exfiltrated via Discord webhooks.

Collection of .env files, shell history, and host inventory.

Stolen data uploaded to Hugging Face Hub repositories.

Host inventory collection including installed applications.

Chromium extension LevelDB harvesting across 21+ browsers.

Scheduled scans and automatic upload of collected data.

Malicious package content delivers exploit code intended to execute in a client application context.

Hardcoded 2FA password and recovery email installed on victim accounts via Telegram updateTwoFaSettings, with the operator's IMAP mailbox auto-submitting the confirmation code.

Listens for messages on Telegram's official OTP sender chat 777000 and forwards every login code to operator-controlled bot channels.

Malware propagates or executes across additional systems by abusing remote management channels.

Malware modifies account state, access paths, sessions, or authorization material to expand or preserve access.

Malware hides payloads, strings, or logic through obfuscation, encoding, or non-obvious containers.

Malware steals application, cloud, package registry, CI/CD, or developer platform access tokens.

Malware deletes, corrupts, or otherwise destroys local data or system state.

Malware abuses legitimate web services such as Telegram, Discord, GitHub, Cloudflare Workers, or SaaS APIs for C2 or exfiltration.

Malware executes Python through PyPI package setup, install, or imported package code.

Malware searches local files, configuration, environment material, or developer workspaces for credentials.

Collected credentials, files, or host data are sent to attacker-controlled infrastructure.

Malware targets SSH keys, wallet private keys, or other private key material.

Malware uses DNS requests as a command-and-control or exfiltration transport.

Malware targets browser cookies or session material for account takeover or downstream access.

Malware uses HTTP, HTTPS, or WebSocket traffic for command-and-control or data movement.

Malware relies on package lifecycle events, hooks, or other trigger points to execute or maintain access.

Package names, metadata, or publishing context imitate legitimate public or private dependencies.

Malicious code is distributed through package registry artifacts or trusted developer tooling dependencies.

Malware executes JavaScript through npm package entrypoints, lifecycle hooks, or imported package code.

Package code retrieves additional payloads, tools, or stage-two malware after execution.