# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Reference: https://www.reversinglabs.com/blog/operation-brainleeches-malicious-npm-packages-fuel-supply-chain-and-phishing-attacks

http://137.184.153.238
137.184.153.238:443
brainleeches.xyz
ourwhite.brainleeches.xyz

# Reference: https://blog.sonatype.com/npm-packages-caught-exfiltrating-kubernetes-config-ssh-keys
# Reference: https://blog.phylum.io/sensitive-data-exfiltration-campaign-targets-npm-and-pypi/

threatest.com
app.threatest.com
down.threatest.com
cjq18vv2vtc0000pszdggkb7ssayyyyyd.oast.fun

# Reference: https://blog.phylum.io/persistent-npm-campaign-shipping-trojanized-jquery/

addpack.newrxl.online
ajax.failexpect.biz.id
anti-spam.truex.biz.id
api-bo.my.id
api-system.engineer
api-web-vrip.hanznesia.my.id
api.codatuys.biz.id
api.iimg.my.id
api.jstyy.xyz
api.newrxl.online
apii-pandawara.ganznesia.my.id
apii.codatuys.cab
apii.fukaes.ninja
apiiiwebterbaru2024.duckdns.org
apiweb.eventtss.my.id
codatuys.cab
cssimage.dimashost.xyz
dana-dompet-digital.qxue.biz.id
danu.eventtss.my.id
denii.biz.id
dimashost.xyz
ditzzultimate.xyz
dmdpanel.my.id
eventtss.my.id
failexpect.biz.id
fukaes.ninja
ganznesia.my.id
icikipoxx.pw
iimg.my.id
irisainginbos.icikipoxx.pw
jqbzu-18.cfd
jstyy.xyz
klikmelanjutkan-klik.sahdk.my.id
lngss.my.id
lnpss.my.id
log.api-system.engineer
log.systems-alexhost.xyz
nd.api-system.engineer
newrxl.online
newww.my.id
ns.api-system.engineer
panel-host.clannesia.com
panel-host.dmdpanel.my.id
panel.api-bo.my.id
paneljs.dimashost.xyz
paneljs.hanznesia.my.id
patipride.icikipoxx.pw
pokemon.denii.biz.id
project.systemgoods.me
pukil.dannew.biz.id
qxue.biz.id
sahdk.my.id
saystem.ditzzultimate.xyz
system-alexhosting.biz.id
systemgoods.me
systemport.duckdns.org
systems-alexhost.xyz
terbarucuy.terbaruxx.my.id
terbaruxx.biz.id
terbaruxx.cafegt.my.id
terbaruxx.hydickyy.my.id
terbaruxx.iwvx77.cfd
terbaruxx.jqbzu-18.cfd
terbaruxx.lngss.my.id
terbaruxx.lnpss.my.id
terbaruxx.my.id
terbaruxx.newww.my.id
terbaruxx.newxxx.online
terbaruxx.x-vip.my.id
truex.biz.id

# Reference: https://www.reversinglabs.com/blog/malicious-npm-patch-delivers-reverse-shell

5.199.166.1:31337

# Reference: https://www.sonatype.com/blog/multiple-crypto-packages-hijacked-turned-into-info-stealers

eoi2ectd5a5tn1h.m.pipedream.net

# Reference: https://x.com/BleepinComputer/status/1914723629192847406
# Reference: https://x.com/ValidinLLC/status/1914759729722622340
# Reference: https://app.validin.com/detail?find=297eeccac7d5e089db1af9bd2862fe9c3d81a742&type=hash&ref_id=77c4dbed5fc#tab=host_pairs

0x9c.xyz
npmjr.com

# Reference: https://socket.dev/blog/malicious-npm-packages-hijack-cursor-editor-on-macos

aiide.xyz
api.aiide.xyz
cursor.sw2031.com
t.sw2031.com

# Reference: https://www.aikido.dev/blog/catching-a-rat-remote-access-trojian-rand-user-agent-supply-chain-compromise
# Reference: https://app.validin.com/detail?find=f501e29ccf5831a92111&type=hash&ref_id=44e8bf21260#tab=host_pairs (# 2025-05-24)
# Reference: https://www.virustotal.com/gui/file/236ff897dee7d21319482cd67815bd22391523e37e0452fa230813b30884a86f/detection

23.27.20.143:27017
85.239.62.36:27017
85.239.62.36:3306

# Reference: https://www.aikido.dev/blog/supply-chain-attack-on-react-native-aria-ecosystem

136.0.9.8:27017
136.0.9.8:3306

# Reference: https://socket.dev/blog/tinycolor-supply-chain-attack-affects-40-packages

webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7

# Reference: https://socket.dev/blog/malicious-fezbox-npm-package-steals-browser-passwords-from-cookies-via-innovative-qr-code

my-nest-app-production.up.railway.app
res.cloudinary.com/dhuenbqsq/image/upload/v1755767716/b52c81c176720f07f702218b1bdc7eff_h7f6pn.jpg
