216.73.217.22

An NPM and PyPI Malicious Campaign Targeting Windows Users

· Published 26/11/2024 21:06 · Modified 26/11/2024 21:34

Export JSON

Essential information

Published
26/11/2024 21:06
Modified
26/11/2024 21:34
Tags
2024-11-26 infostealer npm pypi roblox supply-chain typosquatting
Related entities
11 observables, 1 intrusion sets (apt), 10 techniques (mitre), 2 malware

Description

Datadog Security Research has uncovered an ongoing supply chain attack targeting both and package repositories, tracked as MUT-8694. This campaign uses malicious packages to deliver malware to Windows users, leveraging legitimate services like GitHub and repl.it for payload hosting. The threat actor employs and targets developers, particularly those working with . Two main malware types are deployed: Blank Grabber and Skuld Stealer, both open-source projects with capabilities to steal credentials, crypto wallets, and other sensitive information. The campaign demonstrates sophistication in its multi-ecosystem approach and persistence, highlighting the growing risk to open-source package repositories.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (11)

  • https://api.telegram.org/bot7546407054:AAGwtti94gRjmoXnuSTcg7u0_qsGj7uoXqo/getMe
  • https://api.telegram.org/bot7546407054:AAGwtti94gRjmoXnuSTcg7u0_qsGj7uoXqo/getWebhookInfo
  • https://discord.com/api/webhooks/1296197362108338248/k492vQ1I3SDXcmvWcvsy2EcSUzrwhNmILrYhR3qSF8R7tkcE-C5GgZSxuS3IlNschBWg
  • https://api.telegram.org/bot7546407054:AAGwtti94gRjmoXnuSTcg7u0_qsGj7uoXqo/getUpdates
  • https://eed964e7-461c-4428-9c46-808d77ede57c-00-26f8c6izoatcc.worf.replit.dev/empyrean
  • https://eed964e7-461c-4428-9c46-808d77ede57c-00-26f8c6izoatcc.worf.replit.dev/skuld
  • https://github.com/holdthatcode/e/raw/main/CBLines.exe
  • https://eed964e7-461c-4428-9c46-808d77ede57c-00-26f8c6izoatcc.worf.replit.dev/blank
  • b3ce55c72f4e23252235f9698bd6078880ceaca310ba16ee859a5a2d6cc39a92
  • 5c4c6ef3aed460f7ea15025bc160768e00c988747b943c99faf9f09b73f86e18
  • 9247039186ec01688d19be3ade8e18fa086301145b7c00cc24465147764c63b8

Intrusion sets (APT) (1)

  • MUT-8694
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 08:04 · Modified 21/12/2025 08:04

Techniques (MITRE) (10)

  • T1195.001
    Compromise Software Dependencies and Development Tools
  • T1059.001
    PowerShell
  • T1552
    Unsecured Credentials
  • T1087
    Account Discovery
  • T1056.001
    Keylogging
  • T1555
    Credentials from Password Stores
  • T1113
    Screen Capture
  • T1082
    System Information Discovery
  • T1083
    File and Directory Discovery
  • T1055
    Process Injection

Malware (2)

  • Skuld Stealer
    Family
    Published 26/11/2024 21:06 · Modified 26/11/2024 21:06
  • Blank Grabber
    Family
    Published 03/09/2025 05:35 · Modified 03/09/2025 05:35

External references