4822a25e-023f-4d99-a5bf-888a9d8d9a03
Investigate a supply chain attack on a package registry. Identify the phantom maintainer, the attack vector, all compromised packages, and reconstruct the attack timeline.
{
"evidence": "1. IP 183.108.227.82 (phantom IP) is the common thread: it created frosty-whale, published malicious packages through stolen tokens from both rocky-ray and rusty-eel accounts, conducted the failed brute-force on rocky-ray, triggered all three security.* audit events, and added frosty-whale as maintainer to net-node.\n2. rocky-ray is the primary compromised maintainer: no 2FA enabled, their token was used to publish malicious versions of salt-log and twine-pool from the phantom IP. Dual-publish events (same version from legitimate IP and phantom IP simultaneously) confirm token theft.\n3. rusty-eel token was also stolen: [email protected] was published from both 111.21.153.250 (rusty-eel's legitimate IP) and 183.108.227.82 (phantom IP) at the same timestamp on Jan 10 — classic dual-publish fingerprint of credential compromise.\n4. frosty-whale created directly from phantom IP on Feb 3: compare_ips and IP activity both confirm the account creation event originated from 183.108.227.82.\n5. Attack vector confirmed by audit events: security.similar_package_registered (typosquat), security.maintainer_added_by_social_engineering, security.contributor_elevated — all from phantom IP, all on Feb 6.\n6. salty-ray (proton.me email, Jan 7 registration, 1 package) appears to be a phantom staging account used to publish [email protected] directly.",
"methodology": "1. Started with GET /security/flagged to identify initial alert packages. 2. Cross-referenced all flagged package version histories to identify publishers. 3. Pulled full maintainer list and flagged accounts with recent join dates and unusual email domains. 4. Used get_suspicious_patterns to identify rocky-ray as primary anomaly (unusual hours, shared IP, brute force). 5. Used compare_ips to identify phantom IP 183.108.227.82 shared between rocky-ray and rusty-eel. 6. Used get_ip_activity on phantom IP to reconstruct full attack timeline — this revealed dual-publish events, frosty-whale account creation, and all security.* events. 7. Pulled rusty-eel and rocky-ray full timelines to separate legitimate from phantom activity. 8. Identified four compromised packages: the three flagged plus [email protected] confirmed via phantom IP audit event.",
"attack_vector": "typosquat_takeover",
"phantom_handle": "frosty-whale",
"attack_timeline": [
{
"event": "salty-ray account registered with anonymous proton.me email — likely a phantom staging account",
"timestamp": "2026-01-07T12:00:00Z"
},
{
"event": "Phantom IP 183.108.227.82 publishes [email protected] with malicious postinstall script using rusty-eel's stolen API token — first confirmed malicious publish",
"timestamp": "2026-01-10T12:00:00Z"
},
{
"event": "Phantom IP publishes [email protected] with postinstall script using rocky-ray's compromised token — dual publish detected (same version from both legitimate and phantom IPs simultaneously)",
"timestamp": "2026-01-22T12:00:00Z"
},
{
"event": "Phantom IP publishes [email protected] with postinstall script using rocky-ray's token — another dual-publish event",
"timestamp": "2026-01-24T12:00:00Z"
},
{
"event": "frosty-whale account created directly from phantom IP 183.108.227.82 — attacker registers their primary infiltration identity",
"timestamp": "2026-02-03T03:51:00Z"
},
{
"event": "Three failed login attempts against rocky-ray's account from phantom IP between 00:17 and 06:31 — rocky-ray likely rotated credentials, cutting off previous token access",
"timestamp": "2026-02-05T00:17:00Z"
},
{
"event": "security.similar_package_registered event triggered from phantom IP — frosty-whale registers near-identical package names to build legitimacy (typosquat)",
"timestamp": "2026-02-06T01:42:00Z"
},
{
"event": "security.maintainer_added_by_social_engineering — phantom social engineers rocky-ray into adding frosty-whale as a maintainer",
"timestamp": "2026-02-06T03:05:00Z"
},
{
"event": "security.contributor_elevated — phantom escalates frosty-whale's permissions within the registry",
"timestamp": "2026-02-06T05:21:00Z"
},
{
"event": "rocky-ray's account (operated from phantom IP) formally adds frosty-whale as maintainer to net-node — phantom now has legitimate publish access",
"timestamp": "2026-02-07T04:19:00Z"
},
{
"event": "[email protected] published by rocky-ray with malicious postinstall — env vars and hostname exfiltrated to telemetry-cdn.dev. Detected by security scanner.",
"timestamp": "2026-02-09T12:00:00Z"
},
{
"event": "[email protected] published by rocky-ray with malicious postinstall — similar exfiltration payload targeting telemetry-cdn.io. Detected by security scanner.",
"timestamp": "2026-02-11T12:00:00Z"
},
{
"event": "[email protected] published by salty-ray with malicious postinstall — phantom uses secondary staging account to compromise hull-codec. Detected by security scanner.",
"timestamp": "2026-02-19T12:00:00Z"
},
{
"event": "Automated security scanner flags [email protected], [email protected], and [email protected]. Incident response begins.",
"timestamp": "2026-03-01T12:00:00Z"
}
],
"compromised_packages": [
{
"name": "salt-log",
"compromised_version": "5.1.5"
},
{
"name": "twine-pool",
"compromised_version": "3.0.3"
},
{
"name": "hull-codec",
"compromised_version": "6.3.3"
},
{
"name": "net-node",
"compromised_version": "3.2.4"
}
],
"compromised_maintainer": "rocky-ray"
}Trajectory submitted and validated. This match receives the verified Elo bonus.