Frankly Malicious: Inside a 38-Package NPM Supply Chain Campaign Targeting Tech Giants

Introduction

In late April 2026, Panther Threat Research identified a coordinated supply chain attack campaign comprising 38 malicious NPM packages published across four threat actor accounts between 2026-04-24 and 2026-04-30 . The campaign was attributed to an Indonesian actor operating under the alias "frank" (primary NPM identity: frengki0707 ) and three rotating accounts ( raya4321 , cketol , frengki4321 ). The actor employed dependency confusion as its primary delivery vector, weaponizing *-internal-* package naming conventions to cause CI/CD pipelines to resolve malicious public packages ahead of legitimate private ones. The packages were organized into five specialized collection clusters, each impersonating the internal developer tooling of a major technology organization: Apple, Google/GCP, Alibaba/Aliyun, a generic multi-target group, and the actor's own cross-platform exfiltration toolkit ( frank-* ). This report documents the campaign's structure, actor attribution, technical exfiltration methodology, and targeted credential categories across all 38 artifacts.

Targeted Parties

The campaign's primary targets were developers and CI/CD infrastructure at four major technology organizations: Apple, Google/GCP, Alibaba/Aliyun, and a broader, generic multi-target group spanning unnamed enterprises. Rather than attacking end users directly, the threat actor frengki0707 and their rotating accounts ( raya4321 , cketol , frengki4321 ) focused on internal engineering ecosystems. Specifically the adversary focused on automated build pipelines and dependency resolution mechanisms used by software developers at these firms. By weaponizing the *-internal-* package naming convention, the actor crafted malicious NPM packages that mimicked the private tooling each organization would plausibly maintain, exploiting the dependency confusion vulnerability to cause build systems to pull attacker-controlled public packages over legitimate private ones. This means the immediate victims were not end customers but rather software engineers and DevOps/build infrastructure operating within or contracting for Apple, Google, and Alibaba environments, with credential categories and exfiltration payloads tailored to the secrets and access tokens those environments are most likely to hold. The inclusion of a generic multi-target cluster ( frank-* ) further suggests the actor intended to cast a wide net beyond these named organizations, opportunistically targeting any enterprise whose CI/CD pipelines resolved packages matching the naming pattern.

Campaign Overview

These 38 packages form a coordinated supply chain attack campaign targeting developers at or working with Apple, Google, and Alibaba/Aliyun infrastructure. The campaign uses a combination of dependency confusion, typosquatting, and internal tooling impersonation to trick developers into installing malicious packages. A recurring actor handle "frank" appears across multiple packages, suggesting a single threat actor or tightly coordinated group operating under that alias. The presence of terms like bypass , escape , leak , stealth , and poc (proof-of-concept) strongly suggests active exploitation intent rather than research.

Apple Impersonation (20 packages)

The Apple impersonation packages make up the largest cluster. Packages impersonate Apple's internal developer tooling, App Store server libraries, PKI utilities, CloudKit ( cktool ) APIs, and infrastructure management. The apple-infra-* sub-group is particularly aggressive with names like ultimate-bypass , final-escape , stealth-audit , and gcp-leak indicating that these are staged payloads designed to escalate from initial execution to full infrastructure compromise. The use of version suffixes ( -v3 , -v99 , -v9 ) mimics legitimate semantic versioning to appear credible in a package.json dependency tree.

"frank" Threat Actor Toolkit (8 packages)

The frank-* namespace is the actor's operational fingerprint. The newton3 sub-campaign shows a clear kill chain progression: db-poc → db-final → user-hunt → final-audit , consistent with iterative development of a credential harvesting and database exfiltration toolset. The npm scoped account @frengki0707 is likely the same actor, confirming a persistent identity across registries.

Google / GCP Impersonation (7 packages)

Targets GCP-adjacent developers by mimicking internal build helpers, logging utilities, mono-repo tools, and audit packages. gcp-internal-research-poc and frank-bot-gogle-cloning (note intentional typo) suggest this cluster was built to harvest GCP service account credentials and OAuth tokens from CI/CD pipeline environments.

Alibaba / Aliyun Impersonation (3 packages)

A smaller but focused cluster impersonating Alibaba Cloud SDK internals ( alicloud-pop-core mimics the legitimate Alibaba Cloud POP core library) and internal configuration utilities. frank-at-alibaba-internal directly ties this cluster to the frank actor.

Generic / Multi-Target (3 packages)

npm-global-util is a broad opportunistic package targeting any developer environment. agents-a365-runtime appears to target Microsoft 365 / Azure agent runtimes, broadening the campaign beyond Apple/Google/Alibaba. internal-sys-audit-check uses authoritative-sounding language to masquerade as a legitimate security tool on developer machines.

Technical Analysis

The 38 malicious NPM packages in this campaign employed a unified, staged exfiltration framework delivered primarily via dependency confusion where all packages used -internal- naming conventions to cause CI/CD pipelines to resolve them from the public NPM registry ahead of private ones.

This process required no user interaction beyond a standard npm install . Execution was triggered through postinstall hooks embedded in packages named with terms like -audit , -check , -monitor , and -config , which developers naturally expect to run on installation or access environment variables. Once executed, packages followed a consistent four-stage kill chain best exemplified by the frank-newton3-* sub-series ( db-poc → db-final → user-hunt → final-audit ). This chain progressed from system fingerprinting ( whoami , hostname , uname -a ) through targeted credential harvesting, lateral target enumeration, and finally C2 beacon transmission. Every package across all five clusters performed Stage 1 system identity recon, while subsequent stages were specialized by cluster. Apple-targeting packages ( apple-infra-* ) focused on NPM auth tokens, AWS credentials, and developer PKI material. The Google/GCP cluster harvested gcloud service account credentials and Kubernetes configs. The Alibaba cluster extracted Aliyun RAM keys. The frank-newton3-* series specifically targeted .env files, DB_* environment variables, SSH keys, and MySQL/Postgres dumps.

The frank-* namespace packages served as the shared exfiltration backbone across all clusters, acting as a common C2 beacon and credential packaging library that platform-specific packages ( apple-* , google-* , aliyun-* ) depended on at runtime. Each cluster functioned as a specialized collection arm with Apple tokens, GCP credentials, Aliyun keys, database secrets all funneling into the same frank-* exfiltration infrastructure. The strategic targeting of NPM publish tokens ( NPM_TOKEN , NODE_AUTH_TOKEN ) via packages like @frengki0707/google-cloud-clone and npm-global-util was the highest-value vector, as successful theft would have enabled the actor to inject malicious code into legitimate, trusted packages therefore effectively multiplying the campaign's reach beyond the initial 38 packages. Operational resilience was maintained through a four-account rotation structure ( frengki0707 → raya4321 / cketol → frengki4321 ), ensuring that takedown of any single NPM account removed only one collection arm while the rest of the infrastructure continued operating.

Attribution

This campaign is attributed with high confidence to a single Indonesian-speaking threat actor, operating across four npm publisher accounts between April 24–30, 2026.

Account Rotation

The clearest attribution link is the shared frengki base string between npm usernames frengki0707 and frengki4321. The earlier account was first observed on April 24 and went dark on April 26 after publishing 11 packages making it consistent with detection and account burnout. frengki4321 surfaced three days later, publishing ac-sasskit-beta and apple-appstore-full-library-utility. The sequential naming and timing indicate deliberate account rotation as a detection evasion strategy. A GitHub account under the handle FRENGKI-MIX also exists with matching naming conventions, though its two repositories are empty and its relationship to the campaign accounts is unconfirmed.

Persistent Alias

The name frank appears consistently across otherwise distinct accounts: getkontakfrank@gmail.com (Indonesian for "get frank's contact"), the frank-newton3-* package series under cketol, and packages such as frank-at-alibaba-internal, frank-apple-sync-service, and frank-bot-gogle-cloning under separate accounts. This recurring alias across accounts that otherwise have no surface-level connection is a significant operational failure that ties the campaign together.

Language and Infrastructure

Indonesian-language comments appear in the source of both ac-sasskit-beta (Payload: Ambil identitas sistem) and apple-internal-security-audit-v99, corroborating the language indicators present in getkontakfrank@gmail.com. "Frengki" is a given name common among the Batak ethnic group of North Sumatra, Indonesia, consistent with these findings. A GitHub account registered to raya4321 which is the npm username associated with npmtpoc@gmail.com was also identified, with zero public repositories, suggesting account creation for campaign use rather than general development activity.

At the infrastructure level, ac-sasskit-beta and apple-appstore-full-library-utility share an identical hardcoded webhook endpoint, serving as a direct technical link between the two packages published from the frengki4321 account.

Conclusion

This campaign represents a technically sophisticated, modular supply chain operation designed for broad credential harvesting across multiple major cloud ecosystems simultaneously. By combining dependency confusion delivery, postinstall hook execution, and a shared frank-* exfiltration backbone, the actor was able to run independent yet coordinated collection arms targeting Apple developer credentials, GCP service accounts, Aliyun RAM keys, database secrets, and CI/CD authentication tokens which all funneled into a common infrastructure layer. The highest-value vector identified was the targeting of NPM publish tokens ( NPM_TOKEN , NODE_AUTH_TOKEN ), which, if successfully exfiltrated, would have enabled the actor to inject malicious code into legitimate, widely-trusted packages and dramatically amplify the campaign's downstream reach. The four-account rotation structure ( frengki0707 → raya4321 / cketol → frengki4321 ) demonstrates deliberate operational resilience with a design intended to survive partial takedowns. Detection teams should prioritize alerting on -internal- NPM package resolution events in CI/CD pipelines, postinstall script execution accessing credential files ( ~/.npmrc , ~/.aws/credentials , ~/.kube/config ), and outbound beacon traffic from build environments as the highest-signal indicators of similar campaigns.

Detection

suspicious_exfiltration_domains

rule suspicious_exfiltration_domains {
    meta:
        description = "Detects domains commonly seen in malicious packages"
        author = "PantherLabs"
    strings:
        // Webhook services
        $discord = "discord.com/api/webhooks"
        $webhook = "webhook.site"
        $beeceptor = "beeceptor.com"
        $pipedream = "pipedream.net"
        $hooklistener = "app.hooklistener.com"
        $hookbin = "hookbin.com"
        
        // Tunneling services
        $ngrok = "ngrok.io"
        $ngrok2 = "ngrok-free.app"
        $ngrok_wild = /ngrok(-free)?\\.(io|app)/
        
        // DNS exfiltration
        $dnshook = "dnshook.site"
        $dnslog = "dnslog.pw"
        
        // OAST / Security testing tools
        $oast1 = "oastify.com"
        $oast2 = "byted-dast.com"
        $oast3 = "oast.fun"
        $oast4 = "oast.pro"
        $oast5 = "oast.me"
        $oast_wild = /oast\\.(fun|pro|me|live|site)/
        $interactsh = "interactsh.com"
        $burp = "burpcollaborator.net"
        $canarytokens = "canarytokens.com"
        
        // Request catchers / bins
        $request_catcher = "requestcatcher.com"
        $request_bin = "requestbin.whapi.cloud"
        $request_bin2 = "bin.graversen.io"
        $requestrepo = "requestrepo.com"
        $mockbin = "mockbin.org"
        $postbin = "postb.in"
        
        // Cloud / hosting services commonly abused
        $onrender = "onrender.com"
        $huaweicloud = "myhuaweicloud.com"
        $runpod = "proxy.runpod.net"
        
        // Data transfer
        $transfer = "transfer.sh"
        
        // Other suspicious
        $telemetry = "telemetry-hosts.com"
        $scrt = "scrt.pl"
        $vercel = /\\b[a-z0-9][-a-z0-9]{0,62}\\.vercel\\.app\\b/ nocase
        
    condition:
        any of them
}

rule suspicious_exfiltration_domains {
    meta:
        description = "Detects domains commonly seen in malicious packages"
        author = "PantherLabs"
    strings:
        // Webhook services
        $discord = "discord.com/api/webhooks"
        $webhook = "webhook.site"
        $beeceptor = "beeceptor.com"
        $pipedream = "pipedream.net"
        $hooklistener = "app.hooklistener.com"
        $hookbin = "hookbin.com"
        
        // Tunneling services
        $ngrok = "ngrok.io"
        $ngrok2 = "ngrok-free.app"
        $ngrok_wild = /ngrok(-free)?\\.(io|app)/
        
        // DNS exfiltration
        $dnshook = "dnshook.site"
        $dnslog = "dnslog.pw"
        
        // OAST / Security testing tools
        $oast1 = "oastify.com"
        $oast2 = "byted-dast.com"
        $oast3 = "oast.fun"
        $oast4 = "oast.pro"
        $oast5 = "oast.me"
        $oast_wild = /oast\\.(fun|pro|me|live|site)/
        $interactsh = "interactsh.com"
        $burp = "burpcollaborator.net"
        $canarytokens = "canarytokens.com"
        
        // Request catchers / bins
        $request_catcher = "requestcatcher.com"
        $request_bin = "requestbin.whapi.cloud"
        $request_bin2 = "bin.graversen.io"
        $requestrepo = "requestrepo.com"
        $mockbin = "mockbin.org"
        $postbin = "postb.in"
        
        // Cloud / hosting services commonly abused
        $onrender = "onrender.com"
        $huaweicloud = "myhuaweicloud.com"
        $runpod = "proxy.runpod.net"
        
        // Data transfer
        $transfer = "transfer.sh"
        
        // Other suspicious
        $telemetry = "telemetry-hosts.com"
        $scrt = "scrt.pl"
        $vercel = /\\b[a-z0-9][-a-z0-9]{0,62}\\.vercel\\.app\\b/ nocase
        
    condition:
        any of them
}

rule suspicious_exfiltration_domains {
    meta:
        description = "Detects domains commonly seen in malicious packages"
        author = "PantherLabs"
    strings:
        // Webhook services
        $discord = "discord.com/api/webhooks"
        $webhook = "webhook.site"
        $beeceptor = "beeceptor.com"
        $pipedream = "pipedream.net"
        $hooklistener = "app.hooklistener.com"
        $hookbin = "hookbin.com"
        
        // Tunneling services
        $ngrok = "ngrok.io"
        $ngrok2 = "ngrok-free.app"
        $ngrok_wild = /ngrok(-free)?\\.(io|app)/
        
        // DNS exfiltration
        $dnshook = "dnshook.site"
        $dnslog = "dnslog.pw"
        
        // OAST / Security testing tools
        $oast1 = "oastify.com"
        $oast2 = "byted-dast.com"
        $oast3 = "oast.fun"
        $oast4 = "oast.pro"
        $oast5 = "oast.me"
        $oast_wild = /oast\\.(fun|pro|me|live|site)/
        $interactsh = "interactsh.com"
        $burp = "burpcollaborator.net"
        $canarytokens = "canarytokens.com"
        
        // Request catchers / bins
        $request_catcher = "requestcatcher.com"
        $request_bin = "requestbin.whapi.cloud"
        $request_bin2 = "bin.graversen.io"
        $requestrepo = "requestrepo.com"
        $mockbin = "mockbin.org"
        $postbin = "postb.in"
        
        // Cloud / hosting services commonly abused
        $onrender = "onrender.com"
        $huaweicloud = "myhuaweicloud.com"
        $runpod = "proxy.runpod.net"
        
        // Data transfer
        $transfer = "transfer.sh"
        
        // Other suspicious
        $telemetry = "telemetry-hosts.com"
        $scrt = "scrt.pl"
        $vercel = /\\b[a-z0-9][-a-z0-9]{0,62}\\.vercel\\.app\\b/ nocase
        
    condition:
        any of them
}

rule suspicious_exfiltration_domains {
    meta:
        description = "Detects domains commonly seen in malicious packages"
        author = "PantherLabs"
    strings:
        // Webhook services
        $discord = "discord.com/api/webhooks"
        $webhook = "webhook.site"
        $beeceptor = "beeceptor.com"
        $pipedream = "pipedream.net"
        $hooklistener = "app.hooklistener.com"
        $hookbin = "hookbin.com"
        
        // Tunneling services
        $ngrok = "ngrok.io"
        $ngrok2 = "ngrok-free.app"
        $ngrok_wild = /ngrok(-free)?\\.(io|app)/
        
        // DNS exfiltration
        $dnshook = "dnshook.site"
        $dnslog = "dnslog.pw"
        
        // OAST / Security testing tools
        $oast1 = "oastify.com"
        $oast2 = "byted-dast.com"
        $oast3 = "oast.fun"
        $oast4 = "oast.pro"
        $oast5 = "oast.me"
        $oast_wild = /oast\\.(fun|pro|me|live|site)/
        $interactsh = "interactsh.com"
        $burp = "burpcollaborator.net"
        $canarytokens = "canarytokens.com"
        
        // Request catchers / bins
        $request_catcher = "requestcatcher.com"
        $request_bin = "requestbin.whapi.cloud"
        $request_bin2 = "bin.graversen.io"
        $requestrepo = "requestrepo.com"
        $mockbin = "mockbin.org"
        $postbin = "postb.in"
        
        // Cloud / hosting services commonly abused
        $onrender = "onrender.com"
        $huaweicloud = "myhuaweicloud.com"
        $runpod = "proxy.runpod.net"
        
        // Data transfer
        $transfer = "transfer.sh"
        
        // Other suspicious
        $telemetry = "telemetry-hosts.com"
        $scrt = "scrt.pl"
        $vercel = /\\b[a-z0-9][-a-z0-9]{0,62}\\.vercel\\.app\\b/ nocase
        
    condition:
        any of them
}

shady-links

# TODO: Detects these links well, but lots of legitimate packages seem to use these domain extensions
rules:
  - id: shady-links
    message: This package contains an URL to a domain with a suspicious extension
    metadata:
      description: Identify when a package contains an URL to a domain with a suspicious extension
    patterns:

      # ignore comments
      - pattern-not-regex: ^\\s*\\# .*
      - pattern-not-regex: ^\\s*\\/\\*(.|\\n)*?\\*\\/\\s*$
      - pattern-not-regex: ^\\s*\\/\\/.*$

      # ignore docstring
      - pattern-not-regex: ^\\s*"""(.|\\n)*?"""\\s*$

      # Exclude local IPv4 sometimes used in tests
      - pattern-not-regex: ((?:https?:\\/\\/)?[^\\n\\[\\/\\?#"']*?(?:192\\.168|10\\.\\d{1,3}|172\\.(?:1[6-9]|2\\d|3[0-1])|127\\.\\d{1,3})\\.\\d{1,3}\\.\\d{1,3}|0\\.0\\.0\\.0|localhost)

      # Exclude public IPv4 sometimes used in tests
      - pattern-not-regex: ((?:https?:\\/\\/)?[^\\n\\[\\/\\?#"']*?(?:1\\.1\\.1\\.1|8\\.8\\.8\\.8))

      # Exclude cloud provider metadata service IPs
      # <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html>
      - pattern-not-regex: ((?:https?:\\/\\/)?[^\\n\\[\\/\\?#"']*?(?:169\\.254\\.\\d{1,3}\\.\\d{1,3}|\\[fd00:ec2::254\\]))

      # ignore discord allowed 
      - pattern-not-regex: (?:https?:\\/\\/)?discord.com\\/(invite|oauth2\\/authorize)

      - patterns:
        - pattern: ("...")
        - pattern-either:
            # complete domains: shorteners
            - pattern-regex: ((?:https?:\\/\\/)?[^\\n\\[\\/\\?#"']*?(bit\\.ly)\\b)
            # complete domains: ephimerals,tunnels
            - pattern-regex: ((?:https?:\\/\\/)?[^\\n\\[\\/\\?#"']*?(workers\\.dev|appdomain\\.cloud|ngrok\\.io|termbin\\.com|localhost\\.run|webhook\\.(site|cool)|oastify\\.com|burpcollaborator\\.(me|net)|trycloudflare\\.com)\\b)
            - pattern-regex: ((?:https?:\\/\\/)?[^\\n\\[\\/\\?#"']*?(oast\\.(pro|live|site|online|fun|me)|ply\\.gg|pipedream\\.net|dnslog\\.cn|webhook-test\\.com|typedwebhook\\.tools|beeceptor\\.com|ngrok-free\\.(app|dev))\\b)
            # complete domains: exfil
            - pattern-regex: ((?:https?:\\/\\/)?[^\\n\\[\\/\\?#"']*?(discord\\.com|transfer\\.sh|filetransfer\\.io|sendspace\\.com|backblazeb2\\.com|paste\\.ee|pastebin\\.com|hastebin\\.com|ghostbin.site|api\\.telegram\\.org|rentry\\.co)\\b)
            # complete domains: intel 
            - pattern-regex: ((?:https?:\\/\\/)?[^\\n\\[\\/\\?#"']*?(ipinfo\\.io|checkip\\.dyndns\\.org|\\bip\\.me|jsonip\\.com|ipify\\.org|ifconfig\\.me)\\b)
            # complete domains: malware download
            - pattern-regex: ((?:https?:\\/\\/)?[^\\n\\[\\/\\?#"']*?(files\\.catbox\\.moe)\\b)

            # top-level domains
            - pattern-regex: (https?:\\/\\/[^\\n\\[\\/\\?#"']*?\\.(link|xyz|tk|ml|ga|cf|gq|pw|top|club|mw|bd|ke|am|sbs|date|quest|cd|bid|cd|ws|icu|cam|uno|email|stream|zip)\\b)
            # IPv4
            - pattern-regex: (https?:\\/\\/[^\\n\\[\\/\\?#"']*?(?:\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}))
            # IPv6
            - pattern-regex: (https?:\\/\\/[^\\n\\[\\/\\?#"']*?(?:\\[(([A-Fa-f0-9]{1,4}:){0,7}|:):?[A-Fa-f0-9]{1,4}(:[A-Fa-f0-9]{1,4}){0,7})\\])
    paths:
      exclude:
        - "*/test/*"
        - "*/tests/*"
        - "*/test_*"
    languages:
      - javascript
      - json
      - python
      - typescript
      - go
    severity: WARNING

# TODO: Detects these links well, but lots of legitimate packages seem to use these domain extensions
rules:
  - id: shady-links
    message: This package contains an URL to a domain with a suspicious extension
    metadata:
      description: Identify when a package contains an URL to a domain with a suspicious extension
    patterns:

      # ignore comments
      - pattern-not-regex: ^\\s*\\# .*
      - pattern-not-regex: ^\\s*\\/\\*(.|\\n)*?\\*\\/\\s*$
      - pattern-not-regex: ^\\s*\\/\\/.*$

      # ignore docstring
      - pattern-not-regex: ^\\s*"""(.|\\n)*?"""\\s*$

      # Exclude local IPv4 sometimes used in tests
      - pattern-not-regex: ((?:https?:\\/\\/)?[^\\n\\[\\/\\?#"']*?(?:192\\.168|10\\.\\d{1,3}|172\\.(?:1[6-9]|2\\d|3[0-1])|127\\.\\d{1,3})\\.\\d{1,3}\\.\\d{1,3}|0\\.0\\.0\\.0|localhost)

      # Exclude public IPv4 sometimes used in tests
      - pattern-not-regex: ((?:https?:\\/\\/)?[^\\n\\[\\/\\?#"']*?(?:1\\.1\\.1\\.1|8\\.8\\.8\\.8))

      # Exclude cloud provider metadata service IPs
      # <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html>
      - pattern-not-regex: ((?:https?:\\/\\/)?[^\\n\\[\\/\\?#"']*?(?:169\\.254\\.\\d{1,3}\\.\\d{1,3}|\\[fd00:ec2::254\\]))

      # ignore discord allowed 
      - pattern-not-regex: (?:https?:\\/\\/)?discord.com\\/(invite|oauth2\\/authorize)

      - patterns:
        - pattern: ("...")
        - pattern-either:
            # complete domains: shorteners
            - pattern-regex: ((?:https?:\\/\\/)?[^\\n\\[\\/\\?#"']*?(bit\\.ly)\\b)
            # complete domains: ephimerals,tunnels
            - pattern-regex: ((?:https?:\\/\\/)?[^\\n\\[\\/\\?#"']*?(workers\\.dev|appdomain\\.cloud|ngrok\\.io|termbin\\.com|localhost\\.run|webhook\\.(site|cool)|oastify\\.com|burpcollaborator\\.(me|net)|trycloudflare\\.com)\\b)
            - pattern-regex: ((?:https?:\\/\\/)?[^\\n\\[\\/\\?#"']*?(oast\\.(pro|live|site|online|fun|me)|ply\\.gg|pipedream\\.net|dnslog\\.cn|webhook-test\\.com|typedwebhook\\.tools|beeceptor\\.com|ngrok-free\\.(app|dev))\\b)
            # complete domains: exfil
            - pattern-regex: ((?:https?:\\/\\/)?[^\\n\\[\\/\\?#"']*?(discord\\.com|transfer\\.sh|filetransfer\\.io|sendspace\\.com|backblazeb2\\.com|paste\\.ee|pastebin\\.com|hastebin\\.com|ghostbin.site|api\\.telegram\\.org|rentry\\.co)\\b)
            # complete domains: intel 
            - pattern-regex: ((?:https?:\\/\\/)?[^\\n\\[\\/\\?#"']*?(ipinfo\\.io|checkip\\.dyndns\\.org|\\bip\\.me|jsonip\\.com|ipify\\.org|ifconfig\\.me)\\b)
            # complete domains: malware download
            - pattern-regex: ((?:https?:\\/\\/)?[^\\n\\[\\/\\?#"']*?(files\\.catbox\\.moe)\\b)

            # top-level domains
            - pattern-regex: (https?:\\/\\/[^\\n\\[\\/\\?#"']*?\\.(link|xyz|tk|ml|ga|cf|gq|pw|top|club|mw|bd|ke|am|sbs|date|quest|cd|bid|cd|ws|icu|cam|uno|email|stream|zip)\\b)
            # IPv4
            - pattern-regex: (https?:\\/\\/[^\\n\\[\\/\\?#"']*?(?:\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}))
            # IPv6
            - pattern-regex: (https?:\\/\\/[^\\n\\[\\/\\?#"']*?(?:\\[(([A-Fa-f0-9]{1,4}:){0,7}|:):?[A-Fa-f0-9]{1,4}(:[A-Fa-f0-9]{1,4}){0,7})\\])
    paths:
      exclude:
        - "*/test/*"
        - "*/tests/*"
        - "*/test_*"
    languages:
      - javascript
      - json
      - python
      - typescript
      - go
    severity: WARNING

# TODO: Detects these links well, but lots of legitimate packages seem to use these domain extensions
rules:
  - id: shady-links
    message: This package contains an URL to a domain with a suspicious extension
    metadata:
      description: Identify when a package contains an URL to a domain with a suspicious extension
    patterns:

      # ignore comments
      - pattern-not-regex: ^\\s*\\# .*
      - pattern-not-regex: ^\\s*\\/\\*(.|\\n)*?\\*\\/\\s*$
      - pattern-not-regex: ^\\s*\\/\\/.*$

      # ignore docstring
      - pattern-not-regex: ^\\s*"""(.|\\n)*?"""\\s*$

      # Exclude local IPv4 sometimes used in tests
      - pattern-not-regex: ((?:https?:\\/\\/)?[^\\n\\[\\/\\?#"']*?(?:192\\.168|10\\.\\d{1,3}|172\\.(?:1[6-9]|2\\d|3[0-1])|127\\.\\d{1,3})\\.\\d{1,3}\\.\\d{1,3}|0\\.0\\.0\\.0|localhost)

      # Exclude public IPv4 sometimes used in tests
      - pattern-not-regex: ((?:https?:\\/\\/)?[^\\n\\[\\/\\?#"']*?(?:1\\.1\\.1\\.1|8\\.8\\.8\\.8))

      # Exclude cloud provider metadata service IPs
      # <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html>
      - pattern-not-regex: ((?:https?:\\/\\/)?[^\\n\\[\\/\\?#"']*?(?:169\\.254\\.\\d{1,3}\\.\\d{1,3}|\\[fd00:ec2::254\\]))

      # ignore discord allowed 
      - pattern-not-regex: (?:https?:\\/\\/)?discord.com\\/(invite|oauth2\\/authorize)

      - patterns:
        - pattern: ("...")
        - pattern-either:
            # complete domains: shorteners
            - pattern-regex: ((?:https?:\\/\\/)?[^\\n\\[\\/\\?#"']*?(bit\\.ly)\\b)
            # complete domains: ephimerals,tunnels
            - pattern-regex: ((?:https?:\\/\\/)?[^\\n\\[\\/\\?#"']*?(workers\\.dev|appdomain\\.cloud|ngrok\\.io|termbin\\.com|localhost\\.run|webhook\\.(site|cool)|oastify\\.com|burpcollaborator\\.(me|net)|trycloudflare\\.com)\\b)
            - pattern-regex: ((?:https?:\\/\\/)?[^\\n\\[\\/\\?#"']*?(oast\\.(pro|live|site|online|fun|me)|ply\\.gg|pipedream\\.net|dnslog\\.cn|webhook-test\\.com|typedwebhook\\.tools|beeceptor\\.com|ngrok-free\\.(app|dev))\\b)
            # complete domains: exfil
            - pattern-regex: ((?:https?:\\/\\/)?[^\\n\\[\\/\\?#"']*?(discord\\.com|transfer\\.sh|filetransfer\\.io|sendspace\\.com|backblazeb2\\.com|paste\\.ee|pastebin\\.com|hastebin\\.com|ghostbin.site|api\\.telegram\\.org|rentry\\.co)\\b)
            # complete domains: intel 
            - pattern-regex: ((?:https?:\\/\\/)?[^\\n\\[\\/\\?#"']*?(ipinfo\\.io|checkip\\.dyndns\\.org|\\bip\\.me|jsonip\\.com|ipify\\.org|ifconfig\\.me)\\b)
            # complete domains: malware download
            - pattern-regex: ((?:https?:\\/\\/)?[^\\n\\[\\/\\?#"']*?(files\\.catbox\\.moe)\\b)

            # top-level domains
            - pattern-regex: (https?:\\/\\/[^\\n\\[\\/\\?#"']*?\\.(link|xyz|tk|ml|ga|cf|gq|pw|top|club|mw|bd|ke|am|sbs|date|quest|cd|bid|cd|ws|icu|cam|uno|email|stream|zip)\\b)
            # IPv4
            - pattern-regex: (https?:\\/\\/[^\\n\\[\\/\\?#"']*?(?:\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}))
            # IPv6
            - pattern-regex: (https?:\\/\\/[^\\n\\[\\/\\?#"']*?(?:\\[(([A-Fa-f0-9]{1,4}:){0,7}|:):?[A-Fa-f0-9]{1,4}(:[A-Fa-f0-9]{1,4}){0,7})\\])
    paths:
      exclude:
        - "*/test/*"
        - "*/tests/*"
        - "*/test_*"
    languages:
      - javascript
      - json
      - python
      - typescript
      - go
    severity: WARNING

# TODO: Detects these links well, but lots of legitimate packages seem to use these domain extensions
rules:
  - id: shady-links
    message: This package contains an URL to a domain with a suspicious extension
    metadata:
      description: Identify when a package contains an URL to a domain with a suspicious extension
    patterns:

      # ignore comments
      - pattern-not-regex: ^\\s*\\# .*
      - pattern-not-regex: ^\\s*\\/\\*(.|\\n)*?\\*\\/\\s*$
      - pattern-not-regex: ^\\s*\\/\\/.*$

      # ignore docstring
      - pattern-not-regex: ^\\s*"""(.|\\n)*?"""\\s*$

      # Exclude local IPv4 sometimes used in tests
      - pattern-not-regex: ((?:https?:\\/\\/)?[^\\n\\[\\/\\?#"']*?(?:192\\.168|10\\.\\d{1,3}|172\\.(?:1[6-9]|2\\d|3[0-1])|127\\.\\d{1,3})\\.\\d{1,3}\\.\\d{1,3}|0\\.0\\.0\\.0|localhost)

      # Exclude public IPv4 sometimes used in tests
      - pattern-not-regex: ((?:https?:\\/\\/)?[^\\n\\[\\/\\?#"']*?(?:1\\.1\\.1\\.1|8\\.8\\.8\\.8))

      # Exclude cloud provider metadata service IPs
      # <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html>
      - pattern-not-regex: ((?:https?:\\/\\/)?[^\\n\\[\\/\\?#"']*?(?:169\\.254\\.\\d{1,3}\\.\\d{1,3}|\\[fd00:ec2::254\\]))

      # ignore discord allowed 
      - pattern-not-regex: (?:https?:\\/\\/)?discord.com\\/(invite|oauth2\\/authorize)

      - patterns:
        - pattern: ("...")
        - pattern-either:
            # complete domains: shorteners
            - pattern-regex: ((?:https?:\\/\\/)?[^\\n\\[\\/\\?#"']*?(bit\\.ly)\\b)
            # complete domains: ephimerals,tunnels
            - pattern-regex: ((?:https?:\\/\\/)?[^\\n\\[\\/\\?#"']*?(workers\\.dev|appdomain\\.cloud|ngrok\\.io|termbin\\.com|localhost\\.run|webhook\\.(site|cool)|oastify\\.com|burpcollaborator\\.(me|net)|trycloudflare\\.com)\\b)
            - pattern-regex: ((?:https?:\\/\\/)?[^\\n\\[\\/\\?#"']*?(oast\\.(pro|live|site|online|fun|me)|ply\\.gg|pipedream\\.net|dnslog\\.cn|webhook-test\\.com|typedwebhook\\.tools|beeceptor\\.com|ngrok-free\\.(app|dev))\\b)
            # complete domains: exfil
            - pattern-regex: ((?:https?:\\/\\/)?[^\\n\\[\\/\\?#"']*?(discord\\.com|transfer\\.sh|filetransfer\\.io|sendspace\\.com|backblazeb2\\.com|paste\\.ee|pastebin\\.com|hastebin\\.com|ghostbin.site|api\\.telegram\\.org|rentry\\.co)\\b)
            # complete domains: intel 
            - pattern-regex: ((?:https?:\\/\\/)?[^\\n\\[\\/\\?#"']*?(ipinfo\\.io|checkip\\.dyndns\\.org|\\bip\\.me|jsonip\\.com|ipify\\.org|ifconfig\\.me)\\b)
            # complete domains: malware download
            - pattern-regex: ((?:https?:\\/\\/)?[^\\n\\[\\/\\?#"']*?(files\\.catbox\\.moe)\\b)

            # top-level domains
            - pattern-regex: (https?:\\/\\/[^\\n\\[\\/\\?#"']*?\\.(link|xyz|tk|ml|ga|cf|gq|pw|top|club|mw|bd|ke|am|sbs|date|quest|cd|bid|cd|ws|icu|cam|uno|email|stream|zip)\\b)
            # IPv4
            - pattern-regex: (https?:\\/\\/[^\\n\\[\\/\\?#"']*?(?:\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}))
            # IPv6
            - pattern-regex: (https?:\\/\\/[^\\n\\[\\/\\?#"']*?(?:\\[(([A-Fa-f0-9]{1,4}:){0,7}|:):?[A-Fa-f0-9]{1,4}(:[A-Fa-f0-9]{1,4}){0,7})\\])
    paths:
      exclude:
        - "*/test/*"
        - "*/tests/*"
        - "*/test_*"
    languages:
      - javascript
      - json
      - python
      - typescript
      - go
    severity: WARNING

IOCs

Malicious Packages

newtontrid@gmail.com / frengki4321 — 7 versions across 5 packages

npmtpoc@gmail.com / raya4321 — 12 packages

ipelapple@gmail.com / cketol — 10 packages

getkontakfrank@gmail.com / frengki0707 — 11 packages

Threat Actor Identities

TTPs

Exfiltration Domains

Data Targeted