# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: scavenger, ghostaction

# Reference: https://research.checkpoint.com/2022/cloudguard-spectral-detects-several-malicious-packages-on-pypi-the-official-software-repository-for-python-developers/
# Reference: https://securelist.com/two-more-malicious-python-packages-in-the-pypi/107218/

65.1.221.11:1337
utilities.tk
zerotwo-best-waifu.online

# Reference: https://www.reversinglabs.com/blog/sentinelsneak-malicious-pypi-module-poses-as-security-sdk

http://54.254.189.27
54.254.189.27:443

# Reference: https://blog.cyble.com/2023/05/03/new-kekw-malware-variant-identified-in-pypi-package-distribution/

blackcap.ru
kekwltd.ru

# Reference: https://www.reversinglabs.com/blog/vmconnect-malicious-pypi-packages-imitate-popular-open-source-modules
# Reference: https://otx.alienvault.com/pulse/64d26652e33287d2d5ca7fe7

deliworkshopexpress.xyz
ethertestnet.pro

# Reference: https://global.ptsecurity.com/analytics/pt-esc-threat-intelligence/malicious-packages-deepseeek-and-deepseekai-published-in-python-package-index

eoyyiyqubj7mquj.m.pipedream.net

# Reference: https://x.com/bzvr_/status/1927334283762430183
# Reference: https://x.com/bzvr_/status/1927337812539449744

196.251.81.229:6969

# Reference: https://jfrog.com/blog/chimera-sandbox-extensions-malware-threatens-pypi-users/

chimerasandbox.workers.dev
0l3qvp0sl3r5rgtl.chimerasandbox.workers.dev
4hhmng1s9zobe8gk.chimerasandbox.workers.dev
au6ewri21q4jcokh.chimerasandbox.workers.dev
bmehxcvbijyfpdg7.chimerasandbox.workers.dev
covnn2rvaagchcq1.chimerasandbox.workers.dev
qn2q3zr7js6ubls6.chimerasandbox.workers.dev
tnt69eqbib53nbj3.chimerasandbox.workers.dev
tpur5v4nwlv62e7f.chimerasandbox.workers.dev
twdtsgc8iuryd0iu.chimerasandbox.workers.dev
x403y4difmiagvoo.chimerasandbox.workers.dev

# Reference: https://x.com/johnk3r/status/1949862337340461528
# Reference: https://invokere.com/posts/2025/07/scavenger-malware-distributed-via-num2words-pypi-supply-chain-compromise/
# Reference: https://github.com/Invoke-RE/community-malware-research/blob/main/Research/Loaders/Scavenger/num2words_IOCs.md
# Reference: https://www.virustotal.com/gui/file/c36ebf96573afcb36bb31590d56e8af49502fb159e00fd4a59336f8a450bec8b/detection

ifyouseethisyouareultragay.com
pokerainteasy.su

# Reference: https://blog.gitguardian.com/ghostaction-campaign-3-325-secrets-stolen/

bold-dhawan.45-139-104-115.plesk.page

# Generic

/dsc_injection
/wap/dsc_injection
/wap/enner/injector
/wap/shatlegay/stealer
/wap/shatlegay/stealer123365
/shatlegay/stealer
/shatlegay/stealer123365
