{
  "name": "Inside a Tor Backed Supply Chain Worm",
  "slug": "inside-a-tor-backed-supply-chain-worm",
  "description": "A sophisticated npm supply chain attack was uncovered involving the typosquatted package crypto-javascri, designed to mimic the legitimate crypto-js library. The malware harvests npm and GitHub credentials from infected systems, hijacks maintainer accounts, and automatically republishes trojanized versions of packages under trusted identities. The final payload incorporates a weaponized Arti Tor client with credential theft, cryptomining capabilities, privilege escalation via SUID exploitation, and systemd-based persistence mechanisms. The campaign specifically targets Linux developer systems and CI/CD environments, using Tor-based command-and-control infrastructure to maintain anonymity and resilience. The attack creates significant downstream supply chain risk through its worm-like propagation model.",
  "published": "2026-05-20T11:12:11.970000+00:00",
  "created_at": "2026-05-21T16:46:45.889000+00:00",
  "modified_at": "2026-05-21T14:46:45+00:00",
  "created_at_opencti": "2026-05-21T16:46:45.889000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "credential theft",
    "cryptomining",
    "npm",
    "privilege escalation",
    "supply chain attack",
    "tor c2",
    "typosquatting",
    "worm propagation"
  ],
  "tags": [
    "2026-05-20",
    "credential-theft",
    "cryptomining",
    "npm",
    "privilege-escalation",
    "supply chain attack",
    "tor c2",
    "typosquatting",
    "worm propagation"
  ],
  "related_entities": {
    "indicators": [
      {
        "id": "fce7d993-e388-4ae1-8f3e-b429aacbcf7e",
        "name": "1cpur2zdsv762uzyoyzma6pvzz4a2xhv64zdouxpjlu3exyks7gh7leyd.onion"
      }
    ],
    "intrusion_sets": [
      {
        "id": "8f308fe6-73ef-4fd0-9c34-777e4e821e67",
        "name": "Sukob",
        "slug": "sukob"
      }
    ],
    "attack_patterns": [
      {
        "id": "6ccd4566-e15e-40cf-b7df-4a3f737ce5cd",
        "name": "T1036.005"
      },
      {
        "id": "3b98bf45-b0e0-4070-90d0-686cbe0cd8d3",
        "name": "T1090.003"
      },
      {
        "id": "a8893562-3ab3-4071-914c-2cc4649cb2d3",
        "name": "T1548.001"
      },
      {
        "id": "7671fe3e-6a85-463e-928d-16117d2f4f9b",
        "name": "T1059.006"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "e615d5ec-8d67-4048-b21d-a5fb09925bb9",
        "name": "T1552.001"
      },
      {
        "id": "894026fa-e537-4b95-b612-7dd8bc367a0d",
        "name": "T1078.001"
      },
      {
        "id": "e87116ac-f56b-4b15-a5e2-a4ed737555d5",
        "name": "T1543.002"
      },
      {
        "id": "96df92ce-da3e-4c6d-8250-cb250c9ed619",
        "name": "T1554"
      },
      {
        "id": "6d618903-d9f6-4747-aec2-7630f43c1908",
        "name": "T1496"
      },
      {
        "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74",
        "name": "T1005"
      },
      {
        "id": "99571c5a-1615-4466-ab0e-f4d9e9219640",
        "name": "T1552.006"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "1d0d9e67-eb8a-439c-a2c7-cab311bb25c4",
        "name": "T1195.002"
      },
      {
        "id": "41ad5d62-aa6a-47d6-a9a9-fb2209601099",
        "name": "T1098"
      },
      {
        "id": "ee82762a-2958-4901-aade-341277d9b410",
        "name": "T1078.004"
      },
      {
        "id": "a6b6df0a-93c1-4ddf-8403-2bc47590f9fe",
        "name": "T1087.001"
      },
      {
        "id": "e9932d2a-834c-4b6f-8835-dce6c7d12b74",
        "name": "T1563"
      },
      {
        "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e",
        "name": "T1041"
      }
    ],
    "malware": [
      {
        "id": "4eaa8642-961d-48c2-8b21-1f17bfe3a4e0",
        "name": "crypto-javascri",
        "slug": "crypto-javascri"
      },
      {
        "id": "490a0a5d-e482-4f82-8280-ba96c1234e48",
        "name": "Arti",
        "slug": "arti"
      }
    ],
    "observables": [
      {
        "id": "dc769918-f0f2-441e-a6e5-27b36cb92591",
        "name": "1cpur2zdsv762uzyoyzma6pvzz4a2xhv64zdouxpjlu3exyks7gh7leyd.onion"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Technologies"
      },
      {
        "id": "",
        "name": "1cpur2zdsv762uzyoyzma6pvzz4a2xhv64zdouxpjlu3exyks7gh7leyd.onion"
      }
    ]
  },
  "external_refs": [
    {
      "id": "a4ffc008-3379-4bac-af7b-fb3563a47a24",
      "standard_id": "external-reference--6b058b03-4cf6-54f4-b47a-ae4722c23a7c",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://www.cloudsek.com/blog/inside-a-tor-backed-supply-chain-worm",
      "hash": null,
      "external_id": null,
      "created": "2026-05-21T16:46:43.263Z",
      "modified": "2026-05-21T16:46:43.263Z",
      "createdById": null
    },
    {
      "id": "16d22b72-cf82-48d1-ac6f-40754271ad47",
      "standard_id": "external-reference--aa09ddb7-0367-58f4-a9a6-8d928dc863db",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/6a0d970b3015e77563f4a9fa",
      "hash": null,
      "external_id": "6a0d970b3015e77563f4a9fa",
      "created": "2026-05-21T16:46:43.225Z",
      "modified": "2026-05-21T16:46:43.225Z",
      "createdById": null
    }
  ]
}