Lucide Proxy: 148 npm packages used as browser DDoS and adware delivery infrastructure

Confirmed
Discovered Jul 13, 2026

Lucide Proxy abused 148 npm packages as static delivery artifacts for proxy pages; historical builds remotely loaded code and conscripted visiting browsers into Wisp and HTTP floods, while the latest documented wave was adware-only.

398
Affected Packages
41
Observables
4
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Current dossier state
needs review
Last verified
Not yet independently verified
Am I affected?
ishowfeet19, ishowfeet19, ishowfeet19, ishowfeet2
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script
Observed fact
Direct-source and cited evidence only.
Informed inference
Analysis is labelled where evidence is indirect.
Unknown
Unverified scope remains explicitly open.
92[.]38[.]177[.]16
92[.]38[.]177[.]37
G-0VL3ZSBXDH
hXXps://woofbeginner[.]com/0a/91/35/0a913561831bdf2c26dcf18b852b5cc1[.]js
c6851a038da578a80eeb201e0588c84c

Analysis

Executive Summary

JFrog tied 148 npm package names to the Lucide Proxy campaign and published an exact package/version/Xray mapping. The packages were not conventional Node libraries: they carried static proxy application assets intended to be hosted and opened in a browser. Historical May builds contained a mutable remote JavaScript loader and Wisp-compatible traffic generator, and JFrog recovered a May 30 archived payload that made visitor browsers participate in an HTTP flood. The researchers report that those modules were removed on May 31; the July 8 wave contained later adware-only builds. Current DDoS execution must therefore not be inferred from current package availability alone. [1]

SafeDep's May 27 snapshot is complementary rather than disproving the historical finding. It analyzed 141 terminal3airport packages as byte-identical static proxy/adware assets with no install hooks or credential stealers. JFrog later reconstructed earlier mutable-loader and flood behavior from repository history and archives, then added seven package names associated with eerikakirk. Package consumers and developers are not automatically compromised by installation; the primary execution path required a proxy build to be served and a user to visit it. [1] [2]

Should you care? If any of the 148 names appears in a lockfile, npm cache, hosted static bundle, deployment inventory, or exported network/browser telemetry, run the tested scope scanner and preserve the matching evidence. Treat dependency presence, hosted deployment, and browser execution as three separate states. Escalate immediately when page visits or service-worker registration overlap with campaign infrastructure, the stable Analytics identifier, or the historical May activity window.

Key Facts

Analysis table
FactValue
Affected artifacts148 npm package names; 398 package/version pairs in iocs.json
Registry publishersterminal3airport and eerikakirk
Representative packagescharlie-kirk, ilovefemboys, miguelphonk
Execution triggerVisiting a hosted proxy page; no npm lifecycle hook was observed
Historical malicious windowRemote loader added May 16; Wisp generator added May 17; HTTP flood observed May 30; malicious modules removed May 31 [1]
Latest documented package waveJuly 8, 2026; JFrog describes it as obfuscated adware-only content [1]
Current registry checkOn July 13, abbreviated npm metadata returned security placeholders for 147 names; charlie-kirk 2.0.0 and 3.0.1 remained downloadable by registry metadata. This does not prove current DDoS behavior. [7]
Hosting footprintJFrog recovered 93 deployment hostnames; 90 resolved to one reported infrastructure IP during its analysis [1]
Immediate actionFind affected dependencies and hosted builds, preserve browser/network evidence, disable affected deployments, block precise campaign infrastructure, and clean confirmed browser service-worker/site data

Evidence Assessment

Analysis table
ClaimAssessmentWhat the evidence provesLimitation
The campaign contains 148 npm packagesConfirmed, high confidenceJFrog provides a 148-row package/version/Xray table; the locally captured table parses to exactly 148 unique names and 398 version pairs [1]JFrog did not publish npm tarball hashes for every version
The May build history had a mutable loader and Wisp generatorConfirmed, high confidenceJFrog deobfuscated the builds; GitHub commit API results independently preserve the cited May 16 and May 17 commits. Static summaries of returned patches contain the loader, WebSocket, Wisp, loopback, browser-storage, and cookie terms reported by JFrog. [1] [4] [5] [6]GitHub omitted or truncated some large patches, so absence in a returned patch would not prove absence
Visitor browsers generated attack trafficConfirmed historically, high confidenceJFrog recovered an archived May 30 HTTP-flood payload and locally simulated Wisp frames without live targets [1]No public victim count or complete visitor/session inventory is available
SafeDep found adware, no install hook, and no credential stealerConfirmed for SafeDep's May package snapshotSafeDep statically compared 141 packages and documented static proxy assets, popunder advertising, tracking, and no lifecycle execution [2]That snapshot did not reconstruct earlier mutable repository history
Current packages execute DDoS codeNot observedJFrog says the July wave used later adware-only builds; registry metadata only establishes name/version availability [1] [7]charlie-kirk remains available, and later external script loading means content risk can change; a fresh artifact/browser capture would be needed
Credentials were stolenNot observedJFrog showed that mutable code could read same-origin cookies/local storage in a sandbox, but neither primary source reports confirmed credential theft [1] [2]A confirmed page visit with beacon evidence would change the response decision

Impact Determination

Analysis table
Exposure classificationCriteriaRequired evidenceRequired actionClosure gate
Confirmed browser executionBrowser history, managed-browser telemetry, proxy/DNS logs, or service-worker inventory shows a campaign deployment and matching page executionUTC browser history, service-worker origin/scope, cached asset hashes, DNS/proxy records, deployment versionPreserve evidence, isolate the hosted deployment, block precise infrastructure, unregister the affected service worker after preservation, clear that origin's data, and investigate outbound trafficRebuilt deployment and affected browsers scan clean; no campaign selectors in 30 days of monitoring
Confirmed hosted exposureA deployment contains an affected package/version or assets mapped to the malicious May commits, but visitor evidence is incompleteBuild manifest, lockfile, deployed file hashes, CDN object metadata, source maps, deployment logsDisable the deployment, preserve artifacts and access logs, invalidate CDN objects, rebuild from reviewed sourceClean artifact scan, cache purge evidence, and complete visitor-impact review
Package present, execution unprovenAffected name/version appears only in a manifest, lockfile, cache, or registry mirrorDependency files, cache metadata, SBOM, internal registry logsRemove the package, determine whether it was ever deployed as a web app, and rebuild only if it entered a deploymentPackage/version absent from dependencies, caches selected for rebuild, and deployed artifacts
Not affectedComplete relevant dependency, deployment, browser, and network scopes are cleanScanner output plus inventory proving those scopes were suppliedRetain evidence and monitor new Lucide-related package namesRecheck after the monitoring window and inventory changes

Minimum Evidence To Collect

  • Preserve dependency manifests, lockfiles, SBOMs, npm cache metadata, and internal registry logs. These establish package exposure but do not prove that browser code executed.
  • Export deployment manifests, build logs, source maps, CDN object listings, WAF logs, and static asset hashes. These map affected package content or GitHub build history to a served application.
  • Export browser history, service-worker registration scope/origin, cached asset metadata, and site-data timestamps from managed endpoints. These decide whether a user actually opened the proxy and whether its service worker persisted.
  • Preserve DNS, secure web gateway, HTTP proxy, firewall, and NetFlow records with UTC timestamps from March 5 through at least July 13. These correlate page visits with campaign infrastructure, the stable Analytics property, and possible flood traffic.
  • Preserve the exact scanner input set, scanner JSON output, collection time, analyst identity, and SHA-256 of exported evidence. Negative results are inconclusive when one of the dependency, deployment, browser, or network scopes is missing.

Timeline

  • 2026-03-05 (time unknown): JFrog's earliest observed Lucide page used Analytics property G-0VL3ZSBXDH and reverse DNS on geeked[.]wtf. [1]
  • 2026-03-16 (time unknown): JFrog first observed traffic monetized through woofbeginner[.]com. [1]
  • 2026-05-16 17:01:27 UTC: lucideproxy/svg commit bcc9868e345b6a04e2b2b89de355d1829daf31e1 updated the build; JFrog maps this phase to addition of the mutable loader. [1] [4]
  • 2026-05-17 04:26:12 UTC: Commit 9b7ca53d6bd8c197e8fe29eabcff54b03331f98f updated the build; JFrog maps this phase to the Wisp generator capped at 64 sockets. [1] [5]
  • 2026-05-17 13:25:50 UTC: Commit ccc7c921bc931c93cf418a877e16fe768a201500 updated the obfuscated build; JFrog maps this phase to a 1,024-socket cap. [1] [6]
  • 2026-05-27 (times vary): SafeDep documented 141 packages under terminal3airport as static proxy/adware assets with no install hook. [2]
  • 2026-05-30 (time unknown): JFrog's Wayback analysis recovered an active HTTP-flood payload targeting an external site from visiting browsers. [1]
  • 2026-05-31 (exact source/build mapping unresolved): JFrog reports removal of the remote loader and Wisp modules. The abbreviated source commit cf741e982181a did not resolve directly in the public lucideproxy/svg API; several build commits exist around 01:00 UTC. [1] [3]
  • 2026-07-08 (times vary): Seven additional package names associated with eerikakirk brought the total to 148; JFrog describes these builds as adware-only. [1]
  • 2026-07-13 21:55:38 UTC: Static abbreviated registry metadata queries returned 147 0.0.1-security placeholders and left charlie-kirk 2.0.0/3.0.1 available. No tarballs were downloaded or executed. [7]
  • 2026-07-13: JFrog published the full historical DDoS/RCE analysis. [1]

What Happened

The operator published batches of static proxy applications under unusual npm names, using npm as a distribution/CDN-adjacent channel rather than as a normal imported library. Deployers could host those assets as student-oriented unblocker pages. Visitors then ran the application's JavaScript and service worker in their browsers. [1] [2]

In May, the build repository briefly gained a mutable loader and a Wisp-compatible traffic generator. This gave the hosted application a remote behavior-control path and a way to create high-rate connection churn through remote Wisp proxy servers. JFrog also recovered an archived HTTP flood. The modules were later removed, leaving adware and third-party script loading in the July package wave. [1]

Initial Access

There is no evidence of maintainer-account compromise or typosquatting against a legitimate library. The campaign created its own package names under terminal3airport and eerikakirk and published web application assets. The supply-chain abuse is the use of a trusted public registry to distribute mutable, obfuscated browser content. [1] [2]

Execution Trigger

Installing or caching a package did not automatically execute malware. SafeDep found no lifecycle scripts, and the package entry points were static/service-worker assets rather than usable Node modules. Browser behavior began when someone served the application and a visitor opened the page. That distinction is essential for scoping: package presence is an exposure lead, not proof of endpoint compromise. [2]

Payload Behavior

Historical builds loaded JavaScript from a mutable CDN-backed path and generated Wisp v2-compatible control frames. JFrog reports that the configuration grew from 64 to 1,024 WebSocket connections and could produce rapid connection creation/teardown pressure on a remote Wisp server. A separate archived payload produced HTTP request floods. Later builds removed these modules but retained obfuscated advertising and external script loading. [1]

Credential or Data Collection

JFrog demonstrated in a local sandbox that remotely supplied code could read cookies and local storage available to the proxy origin and beacon values out. This establishes capability, not observed credential theft. Same-origin browser boundaries and the exact proxy implementation determine what data was reachable. Do not order broad enterprise credential rotation without a confirmed visit plus storage/beacon evidence; invalidate sessions or tokens specifically exposed through the affected origin when that evidence exists. [1]

Defense Evasion

The builds used obfuscation, randomized asset filenames, fake tutoring branding, hidden SEO text, and ordinary npm/CDN/browser delivery. The mutable loader separated the initially reviewed static artifact from later behavior. These techniques make package-only scanning insufficient and require deployment plus browser/network correlation. [1] [2]

Exfiltration and Command and Control

No confirmed credential exfiltration campaign was documented. The remote loader and advertising scripts created attacker-controlled or campaign-linked network dependencies; JFrog's sandbox showed beacon capability. Treat precise URLs and payload hashes as stronger signals than broad shared CDN domains. Raw network indicators are kept in iocs.json; this prose defangs them. [1]

Affected Assets and Blast Radius

The exact machine-readable set is 148 package names and 398 package/version pairs in iocs.json. The JFrog table includes charlie-kirk, ilovefemboys, miguelphonk, 141 SafeDep-era names, and seven later names. The blast radius cannot be inferred from npm download counts because the meaningful victim action was hosting or visiting the resulting proxy application. [1] [2]

Analysis table
Asset classExposure pathKnown scopeConfidence
npm package consumersPackage downloaded or mirrored148 names; current malicious versions unavailable for 147 names, with charlie-kirk still available by metadataHigh for identity, medium for current content
Hosted proxy deploymentsPackage assets served as a static web applicationJFrog recovered 93 hostnamesHigh for reported count; complete list unavailable
Browser usersVisited a deployed proxy page and ran its scripts/service workerUnknown visitor countExposure-dependent
GitHub build historylucideproxy/svg commits retained historical build transitionsPublic repository and cited immutable commitsHigh

Indicators of Compromise

Use iocs.json for raw, typed values. Important human-readable pivots include:

Analysis table
TypeValueContext
npm publishersterminal3airport, eerikakirkCampaign publishing accounts
repositorylucideproxy/svgPublic build history
Analytics IDG-0VL3ZSBXDHStable cross-deployment campaign identifier
historical infrastructurelucideon[.]top, woofbeginner[.]com, wisp[.]breadarchive[.]dpdns[.]orgPage, advertising, and Wisp pivots
primary infrastructure IP92[.]38[.]177[.]17Ninety reported deployments resolved here during JFrog's analysis
payload SHA-2564b188d179e50e8208a6efec85e273e88d8fc390c836f299ba12915e0840408fdArchived HTTP-flood payload

Detection and Hunting

Run scripts/scan_lucide_proxy_exposure.py opens in a new tab against a reader-owned repository or a directory containing exported dependency, deployment, browser, DNS, proxy, CDN, WAF, or hosting evidence:

python3 scripts/scan_lucide_proxy_exposure.py "$HOME/ir-exports/lucide-scope" --out "$HOME/ir-exports/lucide-scan.json"

The script embeds all 148 names, their exact malicious version mapping, campaign publishers/repositories, payload hashes, precise URLs/domains/IPs, and stable identifiers. It does not make network requests or execute located content.

  • Exit 0: no selector was found in the supplied scope. This is clean only for the evidence types actually included.
  • Exit 1: at least one selector matched. Preserve the matching file/log and correlate package, deployment, browser, and network evidence.
  • Exit 2: collection failed or the scope was invalid. Do not interpret this as clean.

Package-name-only matches can be noisy because some names are generic. A package/version pair in a lockfile is stronger, but still does not prove that a web page was hosted or visited. A positive page-origin or service-worker match plus proxy/DNS traffic is the strongest available exposure evidence.

For a read-only forensic copy of a Chromium or Chrome user-data directory, run scripts/collect_chromium_lucide_evidence.py opens in a new tab:

python3 scripts/collect_chromium_lucide_evidence.py "$HOME/ir-exports/chromium-user-data" --out "$HOME/ir-exports/lucide-browser-evidence.json"

This collector queries History SQLite databases read-only and searches service-worker/cache files for exact campaign selectors without emitting unrelated browsing records. Exit codes use the same 0 clean, 1 match, and 2 collection-failure contract.

Downstream Abuse Audits

This event supports browser and hosting audits, not a generic cloud/OIDC or developer-workstation compromise runbook. Collect the affected origin's service-worker registration, cache/site-data timestamps, browser history, and outbound proxy/DNS records. Map those timestamps to deployment artifacts and the historical May commits. If a user visited only a July adware build, document advertising/privacy impact separately from DDoS participation.

If beacon logs prove that a sensitive same-origin session or token left the browser, revoke that specific session/token from a clean administrative environment and audit its subsequent use. Neither primary source justifies rotating unrelated GitHub, npm, cloud, SSH, or workstation credentials based solely on package presence. [1] [2]

Remediation and Recovery Gates

  1. Preserve lockfiles, build artifacts, hosted files, browser/service-worker records, proxy/DNS logs, and UTC timestamps before cleanup.
  2. Disable confirmed Lucide-derived deployments and prevent further access while evidence is collected.
  3. Block the precise campaign domains, URLs, and IPs in iocs.json; avoid blocking shared CDN domains without path-level controls.
  4. Remove all affected package/version pairs from dependency manifests, lockfiles, registry mirrors, and caches selected for rebuild.
  5. Rebuild hosted proxy applications from reviewed source without mutable loaders or campaign advertising scripts, then invalidate CDN objects.
  6. On confirmed visitor browsers, unregister the affected-origin service worker and clear that origin's cached assets/cookies/site data after evidence preservation.
  7. Revoke only sessions or tokens shown to be reachable and transmitted; record why broader rotation is not applicable when there is no such evidence.
  8. Run the tested scanner across rebuilt artifacts and complete dependency, deployment, browser, and network evidence scopes.
  9. Close only after the rebuilt deployment and affected browsers are clean and 30 days of monitoring show no campaign selector, with package consumers and page visitors counted separately.

Open Questions

  • Does the currently available charlie-kirk 2.0.0 or 3.0.1 content contain any live mutable behavior beyond the July adware build? This run did not download package tarballs.
  • What are the complete 93 deployment hostnames and their first/last served timestamps?
  • Which public build commit exactly corresponds to JFrog's abbreviated cf741e982181a module-removal reference?
  • How many deployments served a malicious May build, and how many unique browsers visited them?

Sources

[1] https://research.jfrog.com/post/lucide-proxy-npm-malware-campaign/ opens in a new tab — Primary reverse engineering, timeline, package/version table, hosting footprint, and IOC appendix; published July 13, 2026.

[2] https://safedep.io/malicious-npm-terminal3airport-proxy-adware-spam/ opens in a new tab — Primary static package analysis of the 141-package May snapshot; documents adware/static assets and absence of install hooks or credential stealers.

[3] https://github.com/lucideproxy/svg opens in a new tab — Direct public build repository metadata and history.

[4] https://github.com/lucideproxy/svg/commit/bcc9868e345b6a04e2b2b89de355d1829daf31e1 opens in a new tab — Direct May 16 build commit referenced by the historical loader phase.

[5] https://github.com/lucideproxy/svg/commit/9b7ca53d6bd8c197e8fe29eabcff54b03331f98f opens in a new tab — Direct May 17 build commit referenced by the Wisp-generator phase.

[6] https://github.com/lucideproxy/svg/commit/ccc7c921bc931c93cf418a877e16fe768a201500 opens in a new tab — Direct May 17 obfuscated build commit referenced by the higher socket-cap phase.

[7] https://registry.npmjs.org/charlie-kirk opens in a new tab — Direct npm registry metadata for the package that remained available during the July 13 static status check; the complete 148-name query result is preserved in the research packet.

Timeline

7 of 7 rows

Timeline
DateEventDescriptionSource
May 27, 2026Malicious publish timeMalicious publish time recorded for Lucide Proxy: 148 npm packages used as browser DDoS and adware delivery infrastructure.GitHub
Jul 13, 2026DisclosureDisclosure recorded for Lucide Proxy: 148 npm packages used as browser DDoS and adware delivery infrastructure.GitHub
May 27, 2026DiscoveryDiscovery recorded for Lucide Proxy: 148 npm packages used as browser DDoS and adware delivery infrastructure.GitHub
May 31, 2026Patch or fixPatch or fix recorded for Lucide Proxy: 148 npm packages used as browser DDoS and adware delivery infrastructure.GitHub
Mar 5, 2026First seenFirst seen recorded for Lucide Proxy: 148 npm packages used as browser DDoS and adware delivery infrastructure.GitHub
Jul 13, 2026RemovalRemoval recorded for Lucide Proxy: 148 npm packages used as browser DDoS and adware delivery infrastructure.GitHub
Jul 13, 2026Lucide Proxy: 148 npm packages used as browser DDoS and adware delivery infrastructureUnknownGitHub

Affected Software

398 of 398 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
ishowfeet19npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet19npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet19npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet2npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet2npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet2npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet20npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet20npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet20npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet3npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet3npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet3npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet4npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet4npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet4npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet5npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet5npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet5npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet6npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet6npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet6npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet7npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet7npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet7npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet8npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet8npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet8npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet9npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet9npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet9npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
kirklandnpm1.1.2Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
kirklandnpm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
lowkeyborednpm1.1.2Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
lowkeyborednpm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
lowkirkuenlynpm1.1.2Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
lowkirkuenlynpm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
midnightrushnpm1.1.2Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
midnightrushnpm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
miguelphonknpm1.1.2Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
miguelphonknpm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff1npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff1npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff1npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff10npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff10npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff10npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff11npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff11npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff11npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff12npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff12npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff12npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff13npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff13npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff13npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff14npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff14npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff14npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff15npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff15npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff15npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff16npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff16npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff16npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff17npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff17npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff17npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff18npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff18npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff18npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff19npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff19npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff19npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff2npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff2npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff2npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff20npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff20npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff20npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff21npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff21npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff21npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff22npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff22npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff22npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff23npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff23npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff23npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff24npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff24npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff24npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff25npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff25npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff25npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff26npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff26npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff26npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff27npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff27npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff27npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff28npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff28npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff28npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff29npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff29npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff29npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff3npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff3npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff3npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff30npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff30npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff30npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff4npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff4npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff4npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff5npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff5npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff5npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff6npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff6npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff6npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff7npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff7npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff7npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff8npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff8npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff8npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff9npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff9npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
nottuff9npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
omglucidesotuffnpm1.1.2Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
omglucidesotuffnpm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
omgyesyesyesnpm1.1.2Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
omgyesyesyesnpm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
pasirianspiritnpm1.1.2Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
pasirianspiritnpm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ratelimitsucksnpm1.1.2Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ratelimitsucksnpm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ratelimitsucksnpm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ratelimitsucksnpm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ratelimitsucks1npm1.1.3Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ratelimitsucks1npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ratelimitsucks1npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ratelimitsucks10npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ratelimitsucks10npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ratelimitsucks10npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ratelimitsucks2npm1.1.4Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ratelimitsucks2npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ratelimitsucks2npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ratelimitsucks2npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ratelimitsucks3npm1.1.5Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ratelimitsucks3npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ratelimitsucks3npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ratelimitsucks4npm1.1.6Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ratelimitsucks4npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ratelimitsucks4npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ratelimitsucks5npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ratelimitsucks5npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ratelimitsucks5npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ratelimitsucks6npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ratelimitsucks6npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ratelimitsucks6npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ratelimitsucks9npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ratelimitsucks9npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
sixseven1npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
sixseven1npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
sixseven1npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
sixseven10npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
sixseven2npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
sixseven2npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
sixseven2npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
sixseven3npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
sixseven3npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
sixseven3npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
sixseven4npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
sixseven4npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
sixseven4npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
sixseven5npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
sixseven5npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
sixseven5npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
sixseven6npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
sixseven6npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
sixseven6npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
sixseven7npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
sixseven8npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
sixseven9npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
speed1npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
speed1npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
speed2npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
speed2npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
speed3npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
speed3npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
speed4npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
speed4npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
speed5npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
speed5npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
thebigyahunpm1.1.2Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
thebigyahunpm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
timmytuffknuckles3npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
timmytuffknuckles3npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
timmytuffknuckles6npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
timmytuffknuckles6npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
timmytuffknuckles9npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
timmytuffknuckles9npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
whatsadmaidknpm1.1.2Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
whatsadmaidknpm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
changiairportpromaxnpm1.1.3Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
changiairportpromaxnpm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
testdonotredeemitnpm1.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
testdonotredeemitnpm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
testdonotredeemitnpm2.1.1Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden212npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden212npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
charlie-kirknpm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
charlie-kirknpm3.0.1Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ilovefemboysnpm1.1.3Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ilovefemboysnpm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden1npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden1npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden1npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden2npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden2npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden2npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden21npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden21npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden21npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden210npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden210npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden210npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden211npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden211npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden211npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden212npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden213npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden213npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden213npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden214npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden214npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden214npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden215npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden215npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden215npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden216npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden216npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden216npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden217npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden217npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden217npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden218npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden218npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden218npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden219npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden219npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden219npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden22npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden22npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden22npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden220npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden220npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden220npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden221npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden221npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden221npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden222npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden222npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden222npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden223npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden223npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden223npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden224npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden224npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden224npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden225npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden225npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden225npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden226npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden226npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden226npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden227npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden227npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden227npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden228npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden228npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden228npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden229npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden229npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden229npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden23npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden23npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden23npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden230npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden230npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden230npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden24npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden24npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden24npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden25npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden25npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden25npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden26npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden26npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden26npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden27npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden27npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden27npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden28npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden28npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden28npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden29npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden29npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden29npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden3npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden3npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden3npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden4npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden4npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden4npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden5npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden5npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
abuden5npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
acidicnpm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
backup1-ggnpm1.1.2Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
backup1-ggnpm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
backup2-asdnpm1.1.2Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
backup2-asdnpm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
backup3-ffnpm1.1.2Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
backup3-ffnpm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
backup4-gaspnpm1.1.2Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
backup4-gaspnpm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
backup5-updatednpm1.1.2Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
backup5-updatednpm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
backupgenuine-updatednpm1.1.2Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
backupgenuine-updatednpm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
backupsitetuff10npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
backupsitetuff10npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
backupsitetuff3npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
backupsitetuff3npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
backupsitetuff6npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
backupsitetuff6npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
backupsitetuff9npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
backupsitetuff9npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
bismillahitidakimasnpm1.1.2Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
bismillahitidakimasnpm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
bomboclatwallahinpm1.1.2Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
bomboclatwallahinpm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
captainindianpm1.1.2Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
captainindianpm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
crazynutnpm1.1.2Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
crazynutnpm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
fflc-updatednpm1.1.2Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
fflc-updatednpm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
howmanygreatbritainnpm1.1.2Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
howmanygreatbritainnpm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
imillegal1npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
imillegal1npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
imillegal1npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
imillegal2npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
imillegal2npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
imillegal2npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
imillegal3npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
imillegal3npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
imillegal3npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
imillegal4npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
imillegal4npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
imillegal4npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
imillegal5npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
imillegal5npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
imillegal5npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet1npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet1npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet1npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet10npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet10npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet10npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet11npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet11npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet11npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet12npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet12npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet12npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet13npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet13npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet13npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet14npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet14npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet14npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet15npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet15npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet15npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet16npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet16npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet16npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet17npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet17npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet17npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet18npm1.1.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet18npm1.7.7Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com
ishowfeet18npm2.0.0Malicious90%GitHub; safedep.io; npm Registry; research.jfrog.com

IOC Clipboard

41 IOCs
ip92.38.177.16
ip92.38.177.37
network_patternG-0VL3ZSBXDH
urlhttps://woofbeginner.com/0a/91/35/0a913561831bdf2c26dcf18b852b5cc1.js
network_patternc6851a038da578a80eeb201e0588c84c
urlhttps://cdn.conditionfuneral.com
domainwoofbeginner.com
hash4b188d179e50e8208a6efec85e273e88d8fc390c836f299ba12915e0840408fd
urlhttps://cdn.jsdelivr.net/gh/canyoupleasesaysomething/cdn@main/cdn.js
urlhttps://lucideon.top
urlhttps://woofbeginner.com/jivd2xu8
domainlucideon.top
urlhttps://cdn.jsdelivr.net/gh/canyoupleasesaysomething/cdn@main/websocket.txt
hasheb4e1394d537d8eba509dd5c57e7aaf4c1df57715c7161330012a11f6202af84
domainpreferencenail.com
ip5.188.124.67
domainskinnycrawlinglax.com
domaincdn.conditionfuneral.com
network_pattern0a913561831bdf2c26dcf18b852b5cc1
domainprotrafficinspector.com
urlhttps://c.vipersfutbol.com/script.js
urlhttps://realizationnewestfangs.com
urlhttps://protrafficinspector.com/stats
domainabdct.com
file_pathassets/73sxysj46r.js
ip153.75.225.178
domainc.vipersfutbol.com
domaingeeked.wtf
file_pathassets/script.js
urlhttps://wisp.breadarchive.dpdns.org
domain21baseballacademy.com
ip92.38.177.17
domainwisp.breadarchive.dpdns.org
domainrealizationnewestfangs.com
urlhttps://skinnycrawlinglax.com/dnn2hkn8
domaincdn.21baseballacademy.com
urlhttps://abdct.com/
urlhttps://21baseballacademy.com
hash10ddbbae0070267b8d15888b09a3cdb19fa74d861315b71f21c9ace8b9f85c75
urlhttps://preferencenail.com/sfp.js
ip92.38.177.10

Tested Hunting Scripts

2 of 2 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
Lucide Proxy package, hosting, browser, and network exposure scopePythonDo reader-owned dependency files, hosted assets, browser exports, DNS/proxy logs, or other telemetry contain exact Lucide Proxy campaign selectors?scripts/scan_lucide_proxy_exposure.py opens in a new tabGitHub
Read-only Chromium Lucide Proxy history and service-worker evidencePythonDoes a reader-owned Chromium/Chrome user-data directory or forensic copy contain campaign URLs, domains, identifiers, or payload hashes in history, service-worker, or cache artifacts?scripts/collect_chromium_lucide_evidence.py opens in a new tabGitHub

Hunt Manifest: Lucide Proxy package, hosting, browser, and network exposure scope

Title
Lucide Proxy package, hosting, browser, and network exposure scope
Question
Do reader-owned dependency files, hosted assets, browser exports, DNS/proxy logs, or other telemetry contain exact Lucide Proxy campaign selectors?
Telemetry Family
Python
Repository
scripts/scan_lucide_proxy_exposure.py
Show tested hunting scriptscripts/scan_lucide_proxy_exposure.py
scripts/scan_lucide_proxy_exposure.py opens in a new tabPython
#!/usr/bin/env python3
"""Static Lucide Proxy exposure scanner for reader-owned files and log exports.

Exit codes: 0 clean, 1 campaign selector found, 2 collection or input failure.
The scanner performs no network requests and never executes located content.
"""

from __future__ import annotations

import argparse
import json
import os
import re
import sys
from pathlib import Path


OUT = "hp-lucide-proxy-npm-browser-ddos-campaign-scope"
MAX_FILE_BYTES = 8 * 1024 * 1024
EXCLUDED_DIRS = {"node_modules", ".git", ".venv", "__pycache__", OUT}

PACKAGES = ['charlie-kirk',
 'ilovefemboys',
 'abuden1',
 'abuden2',
 'abuden21',
 'abuden210',
 'abuden211',
 'abuden212',
 'abuden213',
 'abuden214',
 'abuden215',
 'abuden216',
 'abuden217',
 'abuden218',
 'abuden219',
 'abuden22',
 'abuden220',
 'abuden221',
 'abuden222',
 'abuden223',
 'abuden224',
 'abuden225',
 'abuden226',
 'abuden227',
 'abuden228',
 'abuden229',
 'abuden23',
 'abuden230',
 'abuden24',
 'abuden25',
 'abuden26',
 'abuden27',
 'abuden28',
 'abuden29',
 'abuden3',
 'abuden4',
 'abuden5',
 'acidic',
 'backup1-gg',
 'backup2-asd',
 'backup3-ff',
 'backup4-gasp',
 'backup5-updated',
 'backupgenuine-updated',
 'backupsitetuff10',
 'backupsitetuff3',
 'backupsitetuff6',
 'backupsitetuff9',
 'bismillahitidakimas',
 'bomboclatwallahi',
 'captainindia',
 'crazynut',
 'fflc-updated',
 'howmanygreatbritain',
 'imillegal1',
 'imillegal2',
 'imillegal3',
 'imillegal4',
 'imillegal5',
 'ishowfeet1',
 'ishowfeet10',
 'ishowfeet11',
 'ishowfeet12',
 'ishowfeet13',
 'ishowfeet14',
 'ishowfeet15',
 'ishowfeet16',
 'ishowfeet17',
 'ishowfeet18',
 'ishowfeet19',
 'ishowfeet2',
 'ishowfeet20',
 'ishowfeet3',
 'ishowfeet4',
 'ishowfeet5',
 'ishowfeet6',
 'ishowfeet7',
 'ishowfeet8',
 'ishowfeet9',
 'kirkland',
 'lowkeybored',
 'lowkirkuenly',
 'midnightrush',
 'miguelphonk',
 'nottuff1',
 'nottuff10',
 'nottuff11',
 'nottuff12',
 'nottuff13',
 'nottuff14',
 'nottuff15',
 'nottuff16',
 'nottuff17',
 'nottuff18',
 'nottuff19',
 'nottuff2',
 'nottuff20',
 'nottuff21',
 'nottuff22',
 'nottuff23',
 'nottuff24',
 'nottuff25',
 'nottuff26',
 'nottuff27',
 'nottuff28',
 'nottuff29',
 'nottuff3',
 'nottuff30',
 'nottuff4',
 'nottuff5',
 'nottuff6',
 'nottuff7',
 'nottuff8',
 'nottuff9',
 'omglucidesotuff',
 'omgyesyesyes',
 'pasirianspirit',
 'ratelimitsucks',
 'ratelimitsucks1',
 'ratelimitsucks10',
 'ratelimitsucks2',
 'ratelimitsucks3',
 'ratelimitsucks4',
 'ratelimitsucks5',
 'ratelimitsucks6',
 'ratelimitsucks9',
 'sixseven1',
 'sixseven10',
 'sixseven2',
 'sixseven3',
 'sixseven4',
 'sixseven5',
 'sixseven6',
 'sixseven7',
 'sixseven8',
 'sixseven9',
 'speed1',
 'speed2',
 'speed3',
 'speed4',
 'speed5',
 'thebigyahu',
 'timmytuffknuckles3',
 'timmytuffknuckles6',
 'timmytuffknuckles9',
 'whatsadmaidk',
 'changiairportpromax',
 'testdonotredeemit']

PACKAGE_VERSION_MAP = {'charlie-kirk': ['2.0.0', '3.0.1'],
 'ilovefemboys': ['1.1.3', '2.0.0'],
 'abuden1': ['1.1.7', '1.7.7', '2.0.0'],
 'abuden2': ['1.1.7', '1.7.7', '2.0.0'],
 'abuden21': ['1.1.7', '1.7.7', '2.0.0'],
 'abuden210': ['1.1.7', '1.7.7', '2.0.0'],
 'abuden211': ['1.1.7', '1.7.7', '2.0.0'],
 'abuden212': ['1.1.7', '1.7.7', '2.0.0'],
 'abuden213': ['1.1.7', '1.7.7', '2.0.0'],
 'abuden214': ['1.1.7', '1.7.7', '2.0.0'],
 'abuden215': ['1.1.7', '1.7.7', '2.0.0'],
 'abuden216': ['1.1.7', '1.7.7', '2.0.0'],
 'abuden217': ['1.1.7', '1.7.7', '2.0.0'],
 'abuden218': ['1.1.7', '1.7.7', '2.0.0'],
 'abuden219': ['1.1.7', '1.7.7', '2.0.0'],
 'abuden22': ['1.1.7', '1.7.7', '2.0.0'],
 'abuden220': ['1.1.7', '1.7.7', '2.0.0'],
 'abuden221': ['1.1.7', '1.7.7', '2.0.0'],
 'abuden222': ['1.1.7', '1.7.7', '2.0.0'],
 'abuden223': ['1.1.7', '1.7.7', '2.0.0'],
 'abuden224': ['1.1.7', '1.7.7', '2.0.0'],
 'abuden225': ['1.1.7', '1.7.7', '2.0.0'],
 'abuden226': ['1.1.7', '1.7.7', '2.0.0'],
 'abuden227': ['1.1.7', '1.7.7', '2.0.0'],
 'abuden228': ['1.1.7', '1.7.7', '2.0.0'],
 'abuden229': ['1.1.7', '1.7.7', '2.0.0'],
 'abuden23': ['1.1.7', '1.7.7', '2.0.0'],
 'abuden230': ['1.1.7', '1.7.7', '2.0.0'],
 'abuden24': ['1.1.7', '1.7.7', '2.0.0'],
 'abuden25': ['1.1.7', '1.7.7', '2.0.0'],
 'abuden26': ['1.1.7', '1.7.7', '2.0.0'],
 'abuden27': ['1.1.7', '1.7.7', '2.0.0'],
 'abuden28': ['1.1.7', '1.7.7', '2.0.0'],
 'abuden29': ['1.1.7', '1.7.7', '2.0.0'],
 'abuden3': ['1.1.7', '1.7.7', '2.0.0'],
 'abuden4': ['1.1.7', '1.7.7', '2.0.0'],
 'abuden5': ['1.1.7', '1.7.7', '2.0.0'],
 'acidic': ['2.0.0'],
 'backup1-gg': ['1.1.2', '2.0.0'],
 'backup2-asd': ['1.1.2', '2.0.0'],
 'backup3-ff': ['1.1.2', '2.0.0'],
 'backup4-gasp': ['1.1.2', '2.0.0'],
 'backup5-updated': ['1.1.2', '2.0.0'],
 'backupgenuine-updated': ['1.1.2', '2.0.0'],
 'backupsitetuff10': ['1.1.7', '2.0.0'],
 'backupsitetuff3': ['1.1.7', '2.0.0'],
 'backupsitetuff6': ['1.1.7', '2.0.0'],
 'backupsitetuff9': ['1.1.7', '2.0.0'],
 'bismillahitidakimas': ['1.1.2', '2.0.0'],
 'bomboclatwallahi': ['1.1.2', '2.0.0'],
 'captainindia': ['1.1.2', '2.0.0'],
 'crazynut': ['1.1.2', '2.0.0'],
 'fflc-updated': ['1.1.2', '2.0.0'],
 'howmanygreatbritain': ['1.1.2', '2.0.0'],
 'imillegal1': ['1.1.7', '1.7.7', '2.0.0'],
 'imillegal2': ['1.1.7', '1.7.7', '2.0.0'],
 'imillegal3': ['1.1.7', '1.7.7', '2.0.0'],
 'imillegal4': ['1.1.7', '1.7.7', '2.0.0'],
 'imillegal5': ['1.1.7', '1.7.7', '2.0.0'],
 'ishowfeet1': ['1.1.7', '1.7.7', '2.0.0'],
 'ishowfeet10': ['1.1.7', '1.7.7', '2.0.0'],
 'ishowfeet11': ['1.1.7', '1.7.7', '2.0.0'],
 'ishowfeet12': ['1.1.7', '1.7.7', '2.0.0'],
 'ishowfeet13': ['1.1.7', '1.7.7', '2.0.0'],
 'ishowfeet14': ['1.1.7', '1.7.7', '2.0.0'],
 'ishowfeet15': ['1.1.7', '1.7.7', '2.0.0'],
 'ishowfeet16': ['1.1.7', '1.7.7', '2.0.0'],
 'ishowfeet17': ['1.1.7', '1.7.7', '2.0.0'],
 'ishowfeet18': ['1.1.7', '1.7.7', '2.0.0'],
 'ishowfeet19': ['1.1.7', '1.7.7', '2.0.0'],
 'ishowfeet2': ['1.1.7', '1.7.7', '2.0.0'],
 'ishowfeet20': ['1.1.7', '1.7.7', '2.0.0'],
 'ishowfeet3': ['1.1.7', '1.7.7', '2.0.0'],
 'ishowfeet4': ['1.1.7', '1.7.7', '2.0.0'],
 'ishowfeet5': ['1.1.7', '1.7.7', '2.0.0'],
 'ishowfeet6': ['1.1.7', '1.7.7', '2.0.0'],
 'ishowfeet7': ['1.1.7', '1.7.7', '2.0.0'],
 'ishowfeet8': ['1.1.7', '1.7.7', '2.0.0'],
 'ishowfeet9': ['1.1.7', '1.7.7', '2.0.0'],
 'kirkland': ['1.1.2', '2.0.0'],
 'lowkeybored': ['1.1.2', '2.0.0'],
 'lowkirkuenly': ['1.1.2', '2.0.0'],
 'midnightrush': ['1.1.2', '2.0.0'],
 'miguelphonk': ['1.1.2', '2.0.0'],
 'nottuff1': ['1.1.7', '1.7.7', '2.0.0'],
 'nottuff10': ['1.1.7', '1.7.7', '2.0.0'],
 'nottuff11': ['1.1.7', '1.7.7', '2.0.0'],
 'nottuff12': ['1.1.7', '1.7.7', '2.0.0'],
 'nottuff13': ['1.1.7', '1.7.7', '2.0.0'],
 'nottuff14': ['1.1.7', '1.7.7', '2.0.0'],
 'nottuff15': ['1.1.7', '1.7.7', '2.0.0'],
 'nottuff16': ['1.1.7', '1.7.7', '2.0.0'],
 'nottuff17': ['1.1.7', '1.7.7', '2.0.0'],
 'nottuff18': ['1.1.7', '1.7.7', '2.0.0'],
 'nottuff19': ['1.1.7', '1.7.7', '2.0.0'],
 'nottuff2': ['1.1.7', '1.7.7', '2.0.0'],
 'nottuff20': ['1.1.7', '1.7.7', '2.0.0'],
 'nottuff21': ['1.1.7', '1.7.7', '2.0.0'],
 'nottuff22': ['1.1.7', '1.7.7', '2.0.0'],
 'nottuff23': ['1.1.7', '1.7.7', '2.0.0'],
 'nottuff24': ['1.1.7', '1.7.7', '2.0.0'],
 'nottuff25': ['1.1.7', '1.7.7', '2.0.0'],
 'nottuff26': ['1.1.7', '1.7.7', '2.0.0'],
 'nottuff27': ['1.1.7', '1.7.7', '2.0.0'],
 'nottuff28': ['1.1.7', '1.7.7', '2.0.0'],
 'nottuff29': ['1.1.7', '1.7.7', '2.0.0'],
 'nottuff3': ['1.1.7', '1.7.7', '2.0.0'],
 'nottuff30': ['1.1.7', '1.7.7', '2.0.0'],
 'nottuff4': ['1.1.7', '1.7.7', '2.0.0'],
 'nottuff5': ['1.1.7', '1.7.7', '2.0.0'],
 'nottuff6': ['1.1.7', '1.7.7', '2.0.0'],
 'nottuff7': ['1.1.7', '1.7.7', '2.0.0'],
 'nottuff8': ['1.1.7', '1.7.7', '2.0.0'],
 'nottuff9': ['1.1.7', '1.7.7', '2.0.0'],
 'omglucidesotuff': ['1.1.2', '2.0.0'],
 'omgyesyesyes': ['1.1.2', '2.0.0'],
 'pasirianspirit': ['1.1.2', '2.0.0'],
 'ratelimitsucks': ['1.1.2', '1.1.7', '1.7.7', '2.0.0'],
 'ratelimitsucks1': ['1.1.3', '1.1.7', '2.0.0'],
 'ratelimitsucks10': ['1.1.7', '1.7.7', '2.0.0'],
 'ratelimitsucks2': ['1.1.4', '1.1.7', '1.7.7', '2.0.0'],
 'ratelimitsucks3': ['1.1.5', '1.1.7', '2.0.0'],
 'ratelimitsucks4': ['1.1.6', '1.1.7', '2.0.0'],
 'ratelimitsucks5': ['1.1.7', '1.7.7', '2.0.0'],
 'ratelimitsucks6': ['1.1.7', '1.7.7', '2.0.0'],
 'ratelimitsucks9': ['1.1.7', '2.0.0'],
 'sixseven1': ['1.1.7', '1.7.7', '2.0.0'],
 'sixseven10': ['1.7.7'],
 'sixseven2': ['1.1.7', '1.7.7', '2.0.0'],
 'sixseven3': ['1.1.7', '1.7.7', '2.0.0'],
 'sixseven4': ['1.1.7', '1.7.7', '2.0.0'],
 'sixseven5': ['1.1.7', '1.7.7', '2.0.0'],
 'sixseven6': ['1.1.7', '1.7.7', '2.0.0'],
 'sixseven7': ['1.7.7'],
 'sixseven8': ['1.7.7'],
 'sixseven9': ['1.7.7'],
 'speed1': ['1.1.7', '2.0.0'],
 'speed2': ['1.1.7', '2.0.0'],
 'speed3': ['1.1.7', '2.0.0'],
 'speed4': ['1.1.7', '2.0.0'],
 'speed5': ['1.1.7', '2.0.0'],
 'thebigyahu': ['1.1.2', '2.0.0'],
 'timmytuffknuckles3': ['1.1.7', '2.0.0'],
 'timmytuffknuckles6': ['1.1.7', '2.0.0'],
 'timmytuffknuckles9': ['1.1.7', '2.0.0'],
 'whatsadmaidk': ['1.1.2', '2.0.0'],
 'changiairportpromax': ['1.1.3', '2.0.0'],
 'testdonotredeemit': ['1.0.0', '2.0.0', '2.1.1']}

DOMAINS = ['woofbeginner.com',
 'c.vipersfutbol.com',
 'realizationnewestfangs.com',
 'protrafficinspector.com',
 'preferencenail.com',
 'skinnycrawlinglax.com',
 'cdn.conditionfuneral.com',
 'lucideon.top',
 'wisp.breadarchive.dpdns.org',
 '21baseballacademy.com',
 'cdn.21baseballacademy.com',
 'abdct.com',
 'geeked.wtf']

URLS = ['https://cdn.jsdelivr.net/gh/canyoupleasesaysomething/cdn@main/cdn.js',
 'https://cdn.jsdelivr.net/gh/canyoupleasesaysomething/cdn@main/websocket.txt',
 'https://woofbeginner.com/jivd2xu8',
 'https://woofbeginner.com/0a/91/35/0a913561831bdf2c26dcf18b852b5cc1.js',
 'https://wisp.breadarchive.dpdns.org',
 'https://21baseballacademy.com',
 'https://lucideon.top',
 'https://c.vipersfutbol.com/script.js',
 'https://realizationnewestfangs.com',
 'https://protrafficinspector.com/stats',
 'https://preferencenail.com/sfp.js',
 'https://skinnycrawlinglax.com/dnn2hkn8',
 'https://cdn.conditionfuneral.com',
 'https://abdct.com/']

IPS = ['92.38.177.17', '92.38.177.10', '153.75.225.178', '5.188.124.67', '92.38.177.16', '92.38.177.37']

HASHES = ['eb4e1394d537d8eba509dd5c57e7aaf4c1df57715c7161330012a11f6202af84',
 '10ddbbae0070267b8d15888b09a3cdb19fa74d861315b71f21c9ace8b9f85c75',
 '4b188d179e50e8208a6efec85e273e88d8fc390c836f299ba12915e0840408fd']

FILES = ['assets/73sxysj46r.js', 'assets/script.js']

CAMPAIGN_IDENTIFIERS = ['G-0VL3ZSBXDH', '0a913561831bdf2c26dcf18b852b5cc1', 'c6851a038da578a80eeb201e0588c84c']

PUBLISHERS = ['terminal3airport', 'eerikakirk']

REPOSITORIES = ['lucideproxy/svg', 'canyoupleasesaysomething/cdn']

HISTORICAL_DDOS_TARGETS = ['https://cdn.caan.edu/-/?v=']


def scan_file(path: Path) -> list[dict[str, str]]:
    try:
        if path.stat().st_size > MAX_FILE_BYTES:
            return []
        text = path.read_text(encoding="utf-8", errors="ignore")
    except (OSError, UnicodeError):
        return []
    lower = text.lower()
    findings: list[dict[str, str]] = []

    for package, versions in PACKAGE_VERSION_MAP.items():
        package_pattern = re.compile(r"(?<![a-z0-9_.-])" + re.escape(package.lower()) + r"(?![a-z0-9_.-])")
        for match in package_pattern.finditer(lower):
            window = lower[max(0, match.start() - 160): min(len(lower), match.end() + 160)]
            matched_versions = [version for version in versions if version.lower() in window]
            findings.append({
                "type": "package_version" if matched_versions else "package_name",
                "value": f"{package}@{matched_versions[0]}" if matched_versions else package,
                "path": str(path),
            })
            break

    selector_groups = [
        ("domain", DOMAINS),
        ("url", URLS),
        ("ip", IPS),
        ("sha256", HASHES),
        ("file_path", FILES),
        ("campaign_identifier", CAMPAIGN_IDENTIFIERS),
        ("publisher", PUBLISHERS),
        ("repository", REPOSITORIES),
        ("historical_ddos_target", HISTORICAL_DDOS_TARGETS),
    ]
    for selector_type, selectors in selector_groups:
        for selector in selectors:
            if selector.lower() in lower:
                findings.append({"type": selector_type, "value": selector, "path": str(path)})
    return findings


def scan(root: Path) -> tuple[list[dict[str, str]], list[str]]:
    indicators = set()
    findings: list[dict[str, str]] = []
    errors: list[str] = []
    for current, dirs, files in os.walk(root):
        dirs[:] = [directory for directory in dirs if directory not in EXCLUDED_DIRS]
        for filename in files:
            path = Path(current) / filename
            try:
                file_findings = scan_file(path)
            except Exception as error:
                errors.append(f"{path}:{type(error).__name__}")
                continue
            for finding in file_findings:
                key = (finding["type"], finding["value"], finding["path"])
                if key not in indicators:
                    indicators.add(key)
                    findings.append(finding)
    return findings, errors


def main() -> int:
    parser = argparse.ArgumentParser(description=__doc__)
    parser.add_argument("scope", type=Path, help="Reader-owned repository or exported telemetry directory")
    parser.add_argument("--out", type=Path, help="Optional JSON result path")
    args = parser.parse_args()
    root = args.scope.expanduser().resolve()
    if not root.is_dir():
        print(json.dumps({"status": "collection_failure", "error": "scope is not a readable directory"}))
        return 2
    findings, errors = scan(root)
    payload = {
        "event_id": "lucide-proxy-npm-browser-ddos-campaign",
        "status": "alert" if findings else "clean",
        "finding_count": len(findings),
        "findings": findings,
        "read_errors": errors,
        "interpretation": (
            "A match proves the selector exists in the supplied scope; it does not by itself prove browser execution. "
            "Correlate package/host evidence with deployment, DNS/proxy, browser history, and service-worker records."
        ),
    }
    encoded = json.dumps(payload, indent=2, sort_keys=True)
    if args.out:
        try:
            args.out.expanduser().resolve().write_text(encoded + "\n", encoding="utf-8")
        except OSError as error:
            print(json.dumps({"status": "collection_failure", "error": type(error).__name__}))
            return 2
    print(encoded)
    return 1 if findings else 0


if __name__ == "__main__":
    sys.exit(main())

Hunt Manifest: Read-only Chromium Lucide Proxy history and service-worker evidence

Title
Read-only Chromium Lucide Proxy history and service-worker evidence
Question
Does a reader-owned Chromium/Chrome user-data directory or forensic copy contain campaign URLs, domains, identifiers, or payload hashes in history, service-worker, or cache artifacts?
Telemetry Family
Python
Repository
scripts/collect_chromium_lucide_evidence.py
Show tested hunting scriptscripts/collect_chromium_lucide_evidence.py
scripts/collect_chromium_lucide_evidence.py opens in a new tabPython
#!/usr/bin/env python3
"""Read-only Chromium history/service-worker/cache collector for Lucide Proxy.

Exit codes: 0 clean, 1 campaign evidence found, 2 collection failure.
The collector performs no network requests, makes no browser changes, and emits
only matching records rather than unrelated browsing data.
"""

from __future__ import annotations

import argparse
import json
import sqlite3
import sys
from datetime import datetime, timedelta, timezone
from pathlib import Path


DOMAINS = [
    "woofbeginner.com",
    "c.vipersfutbol.com",
    "realizationnewestfangs.com",
    "protrafficinspector.com",
    "preferencenail.com",
    "skinnycrawlinglax.com",
    "cdn.conditionfuneral.com",
    "lucideon.top",
    "wisp.breadarchive.dpdns.org",
    "21baseballacademy.com",
    "cdn.21baseballacademy.com",
    "abdct.com",
    "geeked.wtf",
]
CAMPAIGN_IDENTIFIERS = [
    "G-0VL3ZSBXDH",
    "0a913561831bdf2c26dcf18b852b5cc1",
    "c6851a038da578a80eeb201e0588c84c",
]
PAYLOAD_HASHES = [
    "eb4e1394d537d8eba509dd5c57e7aaf4c1df57715c7161330012a11f6202af84",
    "10ddbbae0070267b8d15888b09a3cdb19fa74d861315b71f21c9ace8b9f85c75",
    "4b188d179e50e8208a6efec85e273e88d8fc390c836f299ba12915e0840408fd",
]
SELECTORS = DOMAINS + CAMPAIGN_IDENTIFIERS + PAYLOAD_HASHES
MAX_STATIC_FILE_BYTES = 16 * 1024 * 1024


def chromium_time(value: object) -> str | None:
    try:
        microseconds = int(value)
        if microseconds <= 0:
            return None
        return (datetime(1601, 1, 1, tzinfo=timezone.utc) + timedelta(microseconds=microseconds)).isoformat()
    except (TypeError, ValueError, OverflowError):
        return None


def history_findings(path: Path) -> tuple[list[dict[str, object]], list[str]]:
    findings: list[dict[str, object]] = []
    errors: list[str] = []
    try:
        connection = sqlite3.connect(f"file:{path}?mode=ro&immutable=1", uri=True)
        try:
            rows = connection.execute("SELECT url, title, last_visit_time FROM urls").fetchall()
        finally:
            connection.close()
    except (sqlite3.Error, OSError) as error:
        return [], [f"{path}:{type(error).__name__}"]
    for url, title, last_visit_time in rows:
        lower_url = str(url).lower()
        matched = sorted(selector for selector in SELECTORS if selector.lower() in lower_url)
        if matched:
            findings.append(
                {
                    "evidence_type": "browser_history",
                    "profile_history": str(path),
                    "url": str(url),
                    "title": str(title),
                    "last_visit_time_raw": last_visit_time,
                    "last_visit_time_utc": chromium_time(last_visit_time),
                    "matched_selectors": matched,
                }
            )
    return findings, errors


def static_findings(profile_root: Path) -> tuple[list[dict[str, object]], list[str]]:
    findings: list[dict[str, object]] = []
    errors: list[str] = []
    candidate_roots = [path for path in profile_root.rglob("*") if path.is_dir() and path.name in {"Service Worker", "Cache", "Cache_Data"}]
    scanned: set[Path] = set()
    for root in candidate_roots:
        for path in root.rglob("*"):
            if not path.is_file() or path in scanned:
                continue
            scanned.add(path)
            try:
                if path.stat().st_size > MAX_STATIC_FILE_BYTES:
                    continue
                content = path.read_bytes().lower()
            except OSError as error:
                errors.append(f"{path}:{type(error).__name__}")
                continue
            matched = sorted(selector for selector in SELECTORS if selector.lower().encode() in content)
            if matched:
                findings.append(
                    {
                        "evidence_type": "service_worker_or_cache",
                        "path": str(path),
                        "matched_selectors": matched,
                    }
                )
    return findings, errors


def main() -> int:
    parser = argparse.ArgumentParser(description=__doc__)
    parser.add_argument("user_data_dir", type=Path, help="Reader-owned Chromium/Chrome user-data directory or forensic copy")
    parser.add_argument("--out", type=Path, help="Optional JSON evidence output")
    args = parser.parse_args()
    root = args.user_data_dir.expanduser().resolve()
    if not root.is_dir():
        print(json.dumps({"status": "collection_failure", "error": "user-data directory is not readable"}))
        return 2

    history_paths = sorted({path for path in [root / "History", *root.glob("*/History")] if path.is_file()})
    findings: list[dict[str, object]] = []
    errors: list[str] = []
    for history_path in history_paths:
        found, failed = history_findings(history_path)
        findings.extend(found)
        errors.extend(failed)
    found, failed = static_findings(root)
    findings.extend(found)
    errors.extend(failed)

    payload = {
        "event_id": "lucide-proxy-npm-browser-ddos-campaign",
        "status": "alert" if findings else "clean",
        "history_databases": [str(path) for path in history_paths],
        "finding_count": len(findings),
        "findings": findings,
        "read_errors": errors,
        "interpretation": "A match establishes browser/profile evidence for the selector; correlate with deployment and network logs before asserting flood participation.",
    }
    encoded = json.dumps(payload, indent=2, sort_keys=True)
    if args.out:
        try:
            args.out.expanduser().resolve().write_text(encoded + "\n", encoding="utf-8")
        except OSError as error:
            print(json.dumps({"status": "collection_failure", "error": type(error).__name__}))
            return 2
    print(encoded)
    return 1 if findings else 0


if __name__ == "__main__":
    sys.exit(main())

Provenance & Sources

4 of 4 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
GitHubVendor95%1Lucide Proxy abused 148 npm packages as static delivery artifacts for proxy pages; historical builds remotely loaded code and conscripted visiting browsers into Wisp and HTTP floods, while the latest documented wave was adware-only.
safedep.ioSecurity Researcher95%1Lucide Proxy abused 148 npm packages as static delivery artifacts for proxy pages; historical builds remotely loaded code and conscripted visiting browsers into Wisp and HTTP floods, while the latest documented wave was adware-only.
npm RegistryPackage Registry95%1Lucide Proxy abused 148 npm packages as static delivery artifacts for proxy pages; historical builds remotely loaded code and conscripted visiting browsers into Wisp and HTTP floods, while the latest documented wave was adware-only.
research.jfrog.comSecurity Researcher95%1Lucide Proxy abused 148 npm packages as static delivery artifacts for proxy pages; historical builds remotely loaded code and conscripted visiting browsers into Wisp and HTTP floods, while the latest documented wave was adware-only.