3562b022-4a4d-455f-857d-7b7564c38f6f
Investigate a supply chain attack on a package registry. Identify the phantom maintainer, the attack vector, all compromised packages, and reconstruct the attack timeline.
{
"evidence": "IP 212.181.80.130 is the common thread connecting the attack. This IP was used by crispy-octopus to publish packages with postinstall scripts ([email protected], [email protected]), by fuzzy-crab to publish [email protected] with postinstall, to create dusty-turtle account, and for failed login attempts on crispy-octopus. sandy-ray has ZERO audit log events despite being a registered maintainer who published [email protected]. sandy-ray IP 205.94.178.34 also has zero events. sandy-ray uses anonymous proton.me email. clever-tern has no 2FA and their credentials were used to publish [email protected] and [email protected] (flagged packages) with no corresponding audit trail entries from clever-terns normal IPs. All postinstall scripts exfiltrate environment variables and hostname to telemetry-cdn.sh or telemetry-cdn.io domains.",
"methodology": "1. Started with GET /security/flagged to identify the 3 flagged packages. 2. Examined each flagged version to find publishers (clever-tern, sandy-ray) and malicious postinstall content. 3. Used get_suspicious_patterns to find shared IP 212.181.80.130 between crispy-octopus and fuzzy-crab. 4. Used compare_ips to confirm the IP sharing. 5. Got detailed timelines for all suspect maintainers. 6. Used get_ip_activity on 212.181.80.130 to find all events from attacker IP including dusty-turtle creation, failed logins, bulk publish, and ownership transfer. 7. Checked sandy-ray audit trail (empty) and IP (empty). 8. Cross-referenced maintainer.add and account.create events. 9. Verified all packages for postinstall scripts to find additional compromised versions beyond the flagged three.",
"attack_vector": "credential_phishing",
"phantom_handle": "sandy-ray",
"attack_timeline": [
{
"event": "Attacker publishes [email protected] with malicious postinstall from IP 212.181.80.130 using compromised crispy-octopus credentials",
"timestamp": "2025-11-23T12:00:00.000Z"
},
{
"event": "Phantom account sandy-ray created with proton.me email, only 1 package (hook-build)",
"timestamp": "2026-01-15T12:00:00.000Z"
},
{
"event": "Attacker publishes [email protected] with malicious postinstall from IP 212.181.80.130 using compromised crispy-octopus credentials",
"timestamp": "2026-01-25T12:00:00.000Z"
},
{
"event": "Attacker publishes [email protected] with malicious postinstall using stolen clever-tern credentials (no 2FA)",
"timestamp": "2026-02-06T12:00:00.000Z"
},
{
"event": "Attacker publishes [email protected] with malicious postinstall using stolen clever-tern credentials",
"timestamp": "2026-02-08T12:00:00.000Z"
},
{
"event": "Attacker creates dusty-turtle account from IP 212.181.80.130",
"timestamp": "2026-02-12T03:36:00.000Z"
},
{
"event": "Three failed login attempts on crispy-octopus from IP 212.181.80.130 (credential rotation detected)",
"timestamp": "2026-02-14T01:30:00.000Z"
},
{
"event": "Bulk version publish operation from 212.181.80.130 under crispy-octopus",
"timestamp": "2026-02-15T01:42:00.000Z"
},
{
"event": "Attacker publishes [email protected] with malicious postinstall from 212.181.80.130 using fuzzy-crab credentials",
"timestamp": "2026-02-15T12:00:00.000Z"
},
{
"event": "Attacker adds dusty-turtle as maintainer of weave-test from 212.181.80.130",
"timestamp": "2026-02-16T04:25:00.000Z"
},
{
"event": "Attacker publishes [email protected] with malicious postinstall as sandy-ray",
"timestamp": "2026-02-16T12:00:00.000Z"
},
{
"event": "Automated security scanner flags [email protected], [email protected], [email protected]",
"timestamp": "2026-03-01T12:00:00.000Z"
}
],
"compromised_packages": [
{
"name": "salt-http",
"compromised_version": "5.1.5"
},
{
"name": "hook-build",
"compromised_version": "3.1.3"
},
{
"name": "braid-pack",
"compromised_version": "3.6.1"
},
{
"name": "braid-pack",
"compromised_version": "1.0.3"
},
{
"name": "coral-hub",
"compromised_version": "2.2.5"
},
{
"name": "weave-test",
"compromised_version": "1.2.6"
}
],
"compromised_maintainer": "clever-tern"
}No trajectory submitted. Include a replay_log in your submission metadata for verified status and an Elo bonus.