Malware Campaigns & Threat Actors

Two tiers of campaigns

186 curated campaigns are hand-researched and actor-attributed — each its own story, with a teardown written specifically for it. 498 catalogued campaigns are coordinated malicious-package batches auto-grouped from our 275,001-record malware feed (a shared scope, mass-publish stem, or typosquat family).

Curated campaigns

The hand-researched, actor-attributed campaigns in the Vulnetix malware corpus:

• AUR 'Albanian virus' protestware wave (pingwin840, 2026-06) — npm, 4 records, 4 linked actors, 4 IOCs
• Atomic Arch AUR supply-chain compromise (2026-06-11) — aur, 1,905 records, 358 linked actors, 26 IOCs
• OphimCMS Packagist trojanized-jQuery theme campaign (2026-03) — packagist, 393 records, 7 linked actors, 650 IOCs
• Vendor threat-intel blog harvest (npm/PyPI supply-chain malware, 2024-2026) — npm, 110 records, 82 IOCs
• TeamPCP/Miasma PyPI credential-stealer cluster (2026) — pypi, 4 records, 13 IOCs
• oob.moika.tech npm dependency-confusion campaign (2026-05/06) — npm, 398 records, 6 linked actors, 186 IOCs
• NuGet bmrxntfj IR.* credential-stealer campaign (2025-09) — nuget, 14 records, 3 linked actors, 12 IOCs
• Nethereum NuGet crypto-stealer cluster (2025) — nuget, 6 records, 6 linked actors, 2 IOCs
• Shai-Hulud npm worm (Sept 2025) — npm, 6 records, 10 IOCs
• DPRK Contagious Interview / Lazarus npm (2024-2025) — mixed, 10 records, 22 linked actors, 11 IOCs
• xrpl.js official npm backdoor (CVE-2025-32965) — Apr 2025 — npm, 2 records, 5 IOCs
• ethers-provider2 reverse-shell npm campaign (2025) — mixed, 4 records, 1 linked actors, 6 IOCs
• tj-actions/changed-files CI secret exfil (CVE-2025-30066) — Mar 2025 — source, 1 records, 2 IOCs
• ultralytics XMRig (2024) — pypi, 2 records, 7 IOCs
• @solana/web3.js backdoor (2024) — npm, 4 records, 59 IOCs
• aiocpa PyPI self-backdoor (Nov 2024) — mixed, 3 records, 2 linked actors, 3 IOCs
• npm wallet-drainer compromises (lottie-player, ledger connect-kit) — mixed, 4 records, 8 IOCs
• mal-npm-yanti mass-publish operators — mixed, 1,298 records, 1 linked actors, 40 IOCs
• mal-npm-putri mass-publish operators — mixed, 1,244 records, 2 linked actors, 40 IOCs
• mal-npm-wibowo mass-publish operators — mixed, 662 records, 2 linked actors, 40 IOCs
• mal-npm-kurniawan mass-publish operators — mixed, 638 records, 2 linked actors, 40 IOCs
• mal-npm-patria mass-publish operators — mixed, 638 records, 2 linked actors, 40 IOCs
• mal-npm-rifqi mass-publish operators — mixed, 635 records, 1 linked actors, 40 IOCs
• mal-npm-fauzi mass-publish operators — mixed, 633 records, 2 linked actors, 40 IOCs
• mal-npm-sinta mass-publish operators — mixed, 625 records, 2 linked actors, 40 IOCs
• mal-npm-kurnia mass-publish operators — mixed, 612 records, 1 linked actors, 40 IOCs
• mal-npm-siska mass-publish operators — mixed, 592 records, 2 linked actors, 40 IOCs
• mal-npm-kapvino mass-publish operators — mixed, 375 records, 2 linked actors, 40 IOCs
• mal-npm-poglymer mass-publish operators — mixed, 349 records, 2 linked actors, 40 IOCs
• mal-npm-sonic mass-publish operators — mixed, 349 records, 2 linked actors, 40 IOCs
• mal-npm-avminh mass-publish operators — mixed, 173 records, 2 linked actors, 40 IOCs
• mal-npm-fadila-poke mass-publish operators — mixed, 150 records, 2 linked actors, 40 IOCs
• mal-npm-tehah mass-publish operators — mixed, 131 records, 2 linked actors, 40 IOCs
• mal-npm-mahnud mass-publish operators — mixed, 128 records, 2 linked actors, 40 IOCs
• mal-npm-inufgi mass-publish operators — mixed, 122 records, 2 linked actors, 40 IOCs
• mal-npm-abina mass-publish operators — mixed, 111 records, 2 linked actors, 40 IOCs
• mal-npm-suharta-poke mass-publish operators — mixed, 111 records, 2 linked actors, 40 IOCs
• mal-npm-nabila-poke mass-publish operators — mixed, 105 records, 2 linked actors, 40 IOCs
• mal-npm-jurss mass-publish operators — mixed, 103 records, 2 linked actors, 40 IOCs
• mal-npm-lookingan-jaja mass-publish operators — mixed, 101 records, 2 linked actors, 40 IOCs
• mal-npm-lookingan-namalaka mass-publish operators — mixed, 100 records, 2 linked actors, 40 IOCs
• mal-npm-nokire-genji mass-publish operators — mixed, 100 records, 2 linked actors, 40 IOCs
• mal-npm-teagood-nakamala mass-publish operators — mixed, 100 records, 2 linked actors, 40 IOCs
• mal-npm-lintang-tea mass-publish operators — mixed, 100 records, 1 linked actors, 40 IOCs
• mal-npm-teagood-sukuna mass-publish operators — mixed, 99 records, 1 linked actors, 40 IOCs
• mal-npm-sagitta mass-publish operators — mixed, 88 records, 2 linked actors, 40 IOCs
• mal-npm-abang-poke mass-publish operators — mixed, 80 records, 20 linked actors, 40 IOCs
• mal-npm-aben-poke mass-publish operators — mixed, 80 records, 6 linked actors, 40 IOCs
• mal-npm-standard mass-publish operators — mixed, 80 records, 4 linked actors, 40 IOCs
• mal-npm-xanadu mass-publish operators — mixed, 80 records, 4 linked actors, 40 IOCs
• mal-npm-acamar mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-aciyua mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-aether mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-air-poke mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-aji-poke mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-alvito-poke mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-anita mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-apasih mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-apollo mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-aquarius mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-atlas mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-aurora mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-azhar-poke mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-bellatrix mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-betelgeuse mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-bootes mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-bootstrap mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-bulma mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-bunyan mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-cluster mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-colors mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-command mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-config mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-cosmos mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-deneb mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-development mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-docusaurus mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-equinox mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-europa mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-firebase mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-fitra-poke mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-goodaan mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-graphql mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-hafiz mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-haritono-poke mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-hariyono mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-hereis mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-hermes mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-hydra mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-hyperion mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-ignite mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-ilang mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-imugiay mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-iomodra mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-iqbal-poke mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-javascript mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-jeep-poke mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-jimmy-poke mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-kupai mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-lala-poke mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-madan-poke mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-makan mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-manaf mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-markdown mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-middleware mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-mocha mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-mongoose mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-muda-poke mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-munir mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-nconf mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-neptune mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-nodejs mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-nokire-arjuna mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-nokire-kushina mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-nokire-tanjiro mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-nudalea mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-nuxtjs mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-ophiuchus mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-package mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-pitra mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-promise mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-public mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-pulsar mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-quantum mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-quark mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-query mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-rehype mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-release mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-request mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-rocket mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-sahnim mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-secure mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-sedna mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-server mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-stream mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-subscription mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-syahmuda-poke mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-taurus mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-teaa-reborn mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-tealove-boy mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-tealove-dana mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-tealove-lady mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-tealove-nice mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-tunis mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-tusaaya mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-ucok-poke mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-unimna mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-venus mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-wulan mass-publish operators — mixed, 80 records, 2 linked actors, 40 IOCs
• mal-npm-xerxes mass-publish operators — mixed, 80 records, 1 linked actors, 40 IOCs
• mal-npm-centauri mass-publish operators — mixed, 78 records, 2 linked actors, 39 IOCs
• mal-npm-delphinus mass-publish operators — mixed, 78 records, 2 linked actors, 39 IOCs
• mal-npm-hunimi mass-publish operators — mixed, 78 records, 2 linked actors, 39 IOCs
• mal-npm-metalsmith mass-publish operators — mixed, 78 records, 2 linked actors, 39 IOCs
• mal-npm-wezen mass-publish operators — mixed, 78 records, 2 linked actors, 39 IOCs
• mal-npm-elara mass-publish operators — mixed, 76 records, 2 linked actors, 38 IOCs
• mal-npm-modaiv mass-publish operators — mixed, 76 records, 2 linked actors, 38 IOCs
• mal-npm-polymedr mass-publish operators — mixed, 76 records, 2 linked actors, 38 IOCs
• mal-npm-postgres mass-publish operators — mixed, 76 records, 2 linked actors, 38 IOCs
• mal-npm-solis mass-publish operators — mixed, 76 records, 2 linked actors, 38 IOCs
• mal-npm-sqlite mass-publish operators — mixed, 76 records, 2 linked actors, 38 IOCs
• mal-npm-thuban mass-publish operators — mixed, 76 records, 2 linked actors, 38 IOCs
• mal-npm-imugay mass-publish operators — mixed, 74 records, 2 linked actors, 37 IOCs
• mal-npm-install mass-publish operators — mixed, 74 records, 2 linked actors, 37 IOCs
• mal-npm-mensa mass-publish operators — mixed, 74 records, 2 linked actors, 37 IOCs
• mal-npm-uglify mass-publish operators — mixed, 74 records, 2 linked actors, 37 IOCs
• xz-utils / liblzma backdoor (CVE-2024-3094) — "Jia Tan" 2024 — source, 3 records, 3 linked actors, 2 IOCs
• LofyGang npm malware group (2022) — npm, 163 records, 2 linked actors, 81 IOCs
• crossenv typosquat wave (hacktask, 2017) — npm, 22 records, 11 IOCs
• IconBurst npm typosquat campaign (2022) — npm, 10 records, 5 linked actors, 34 IOCs
• bootstrap-sass gem hijack (2019) — npm, 8 records, 68 IOCs
• rest-client gem hijack (2019) — npm, 6 records, 56 IOCs
• event-stream / flatmap-stream npm takeover (2018) — npm, 5 records, 2 linked actors, 4 IOCs
• aabquerys npm typosquat / Cobalt Strike (2024) — mixed, 4 records, 2 linked actors, 6 IOCs
• W4SP Stealer PyPI cluster — mixed, 4 records, 8 IOCs
• coa / rc hijack (2021) — npm, 4 records, 11 IOCs
• ctx PyPI AWS-key theft (2022) — pypi, 4 records, 19 IOCs
• eslint-scope token theft (2018) — npm, 4 records, 6 IOCs
• ua-parser-js hijack (2021) — npm, 3 records, 4 IOCs
• @rspack/core + vant xmrig (2024) — npm, 2 records, 1 IOCs
• electron-native-notify wallet heist (2019) — mixed, 2 records, 1 IOCs
• fabrice AWS-credential typosquat — mixed, 2 records, 1 IOCs
• material-tailwindcss PowerShell loader (2022) — mixed, 2 records, 8 IOCs
• VMConnect / Lazarus PyPI cluster (2023-2024) — pypi, 4 records, 4 IOCs
• torchtriton PyPI dependency-confusion (Dec 2022) — pypi, 2 records, 2 IOCs
• colors/faker maintainer sabotage (Marak, Jan 2022) — npm, 4 records, 1 linked actors, 2 IOCs

STIX feeds for your own controls

We publish the malicious domains, IPs and URLs from this intelligence as free, machine-readable STIX 2.1 bundles split per ecosystem and refreshed every 15 minutes. Start with the generic DNS and URL bundles, or use the interactive page to pick a registry-specific feed.

Download Generic DNS STIX · Download Generic URLs STIX

Caught after they shipped — block them at the gate

Every indicator above was catalogued after the package shipped. The Vulnetix Package Firewall checks each install against this same malware intelligence, across 25+ registries, before the dependency reaches your build. Where Aikido SafeChain, Socket, JFrog Curation and DevGuard each draw on narrower feeds, Vulnetix aggregates OSSF Malicious Packages, OSV.dev, GitHub Advisory and first-party research into one of the largest de-duplicated malware corpora in the industry — then adds Safe Harbour autofix.

Block these before they install →