Excerpt: Active credential theft via npm/PyPI typosquatting and Meta Business phishing. Urgent IOC review required.
Threat Summary
OTX Pulse data from 2026-07-09 reveals two distinct but high-risk campaigns focused on credential theft. The first involves a sophisticated supply chain attack targeting developers via typosquatted packages on npm and PyPI registries, mimicking popular payment SDKs (PaySafe, Skrill, Neteller). The second campaign abuses Meta's Business Account Manager infrastructure to deliver phishing emails that bypass traditional email filtering due to their legitimate origin. Both campaigns emphasize exfiltration of sensitive credentials (tokens, identities, MFA).
Threat Actor / Malware Profile
Adversary: Unknown (suspected organized crime/focused on financial credential harvesting).
Distribution Vectors:
- Supply Chain (Pulse 2): Publication of 17 malicious packages on npm and PyPI. Uses typosquatting techniques on names of legitimate payment SDKs.
- Social Engineering (Pulse 1): Abuse of Meta Business Account Manager to send phishing emails from legitimate
@meta.com(or similar infrastructure) addresses, leveraging a manipulated business partner mechanism to embed malicious URLs.
Payload Behavior:
- Malicious Packages: Designed to steal developer tokens and credentials. Features sophisticated anti-analysis techniques including sandbox detection (checking CPU core counts and hostname patterns).
- Phishing: Directs users to fraudulent verification pages (e.g.,
sw.run) to harvest identity documents and MFA tokens.
C2 Communication:
- Utilizes
ngrok-free.devtunnels to obfuscate C2 infrastructure for the supply chain malware. - Uses compromised or fraudulent domains for phishing landing pages.
IOC Analysis
Indicator Types:
- File Hashes (SHA256): 6 specific hashes associated with the malicious npm/PyPI packages.
- Domains/Hostnames: Including
ngrok-free.devsubdomains and specific C2 infrastructure. - URLs: Phishing landing pages.
Operational Guidance:
- Block: Immediate blocking of all listed domains and
*.ngrok-free.devat the proxy/DNS level. - Hunt: Use EDR solutions to scan for the specific SHA256 hashes on developer workstations and build servers.
- Decode: The
ngrokdomains suggest dynamic tunneling; forensics on these connections should focus on the process initiating the outbound connection (likelynode.exeorpython.exespawned by package managers).
Detection Engineering
---
title: Potential Malicious Package C2 Connection
id: 8f3c2d1a-5b6e-4c7d-9a1f-2b3c4d5e6f7a
description: Detects network connections to known malicious domains associated with the npm/PyPI typosquatting campaign and Meta phishing infrastructure.
status: experimental
author: Security Arsenal
date: 2026/07/09
references:
- https://otx.alienvault.com/
tags:
- attack.credential_access
- attack.command_and_control
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationHostname|contains:
- 'ngrok-free.dev'
- 'goautolink.com'
- 'aussiecleaningservices.com'
- 'sw.run'
condition: selection
falsepositives:
- Legitimate use of ngrok by developers (rare in production)
level: high
---
title: Malicious File Hash Detection - Payment SDK Typosquatting
id: 9a4b1c2e-3d5f-4a6b-8c9d-0e1f2a3b4c5d
description: Detects files matching SHA256 hashes from the OTX pulse related to the malicious payment SDK packages.
status: experimental
author: Security Arsenal
date: 2026/07/09
logsource:
category: file_event
product: windows
detection:
selection:
Hashes|contains:
- 'ce09810adca70ebec87bc455380ef629ceaa2a0d926149d9115604060167682c'
- 'b2ea8d69f6792a87327ffde2ee4551bb6b99617f53e1ba71bf9a70f45dbc57ea'
- '8a70a5c1075f2dea4db94633ddc64b0d03d0385fdeda7c226acc944331febf43'
- 'c8b4d17c1f0aa7c50f2fa23d7c328482a4ad2c4da4d600f358ebdf200cbefd83'
- '9fd06d823d54183cc91625fdc6decffe8db2863f6499a955656ebdcc089792cf'
- '615805652b2f006e69512b90d0d63883d7ae1ede69d86384fd77bd46235b2369'
condition: selection
level: critical
---
title: Suspicious Payment SDK Typosquatting Installation
id: 1b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
description: Detects installation of packages resembling PaySafe, Skrill, or Neteller which are targets of a typosquatting campaign.
status: experimental
author: Security Arsenal
date: 2026/07/09
logsource:
category: process_creation
product: windows
detection:
selection_npm:
Image|endswith: '\npm.cmd'
CommandLine|contains:
- 'install'
- 'i '
selection_pip:
Image|endswith: '\python.exe'
CommandLine|contains: 'pip install'
selection_keywords:
CommandLine|contains:
- 'paysafe'
- 'skrill'
- 'neteller'
condition: 1 of selection_* and selection_keywords
falsepositives:
- Legitimate installation of actual SDKs by authorized developers
level: medium
kql
// Hunt for C2 connections and Phishing Domains
DeviceNetworkEvents
| where Timestamp > ago(1d)
| where RemoteUrl has_any ("ngrok-free.dev", "goautolink.com", "aussiecleaningservices.com", "sw.run")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RemoteUrl, RemotePort
| order by Timestamp desc
// Hunt for malicious files by Hash
union DeviceFileEvents, DeviceProcessEvents
| where Timestamp > ago(7d)
| where SHA256 in ("ce09810adca70ebec87bc455380ef629ceaa2a0d926149d9115604060167682c", "b2ea8d69f6792a87327ffde2ee4551bb6b99617f53e1ba71bf9a70f45dbc57ea", "8a70a5c1075f2dea4db94633ddc64b0d03d0385fdeda7c226acc944331febf43", "c8b4d17c1f0aa7c50f2fa23d7c328482a4ad2c4da4d600f358ebdf200cbefd83", "9fd06d823d54183cc91625fdc6decffe8db2863f6499a955656ebdcc089792cf", "615805652b2f006e69512b90d0d63883d7ae1ede69d86384fd77bd46235b2369")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessAccountName
powershell
# IOC Hunt Script for Malicious Hashes (Windows)
# Requires Admin Privileges for system-wide scan
$MaliciousHashes = @(
"ce09810adca70ebec87bc455380ef629ceaa2a0d926149d9115604060167682c",
"b2ea8d69f6792a87327ffde2ee4551bb6b99617f53e1ba71bf9a70f45dbc57ea",
"8a70a5c1075f2dea4db94633ddc64b0d03d0385fdeda7c226acc944331febf43",
"c8b4d17c1f0aa7c50f2fa23d7c328482a4ad2c4da4d600f358ebdf200cbefd83",
"9fd06d823d54183cc91625fdc6decffe8db2863f6499a955656ebdcc089792cf",
"615805652b2f006e69512b90d0d63883d7ae1ede69d86384fd77bd46235b2369"
)
Write-Host "[+] Starting scan for known malicious file hashes..." -ForegroundColor Cyan
# Define high-risk directories to scan
$Targets = @(
"$env:USERPROFILE\Downloads",
"$env:USERPROFILE\AppData\Local",
"$env:USERPROFILE\AppData\Roaming",
"C:\ProgramData",
"C:\Windows\Temp"
)
$FoundMalware = $false
foreach ($Target in $Targets) {
if (Test-Path $Target) {
Write-Host "Scanning $Target..." -ForegroundColor DarkGray
try {
Get-ChildItem -Path $Target -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
try {
$HashObj = Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction Stop
if ($MaliciousHashes -contains $HashObj.Hash) {
Write-Host "[!] ALERT: Malicious file detected!" -ForegroundColor Red
Write-Host " Path: $($HashObj.Path)"
Write-Host " Hash: $($HashObj.Hash)"
$FoundMalware = $true
}
} catch {
# Ignore access errors
}
}
} catch {
# Ignore path errors
}
}
}
if (-not $FoundMalware) {
Write-Host "[+] No malicious files found in target directories." -ForegroundColor Green
} else {
Write-Host "[!] Investigation required. Isolate affected endpoints immediately." -ForegroundColor Red
}
Response Priorities
Immediate:
- Block all IOCs (domains, URLs, and hashes) on perimeter security devices and EDR.
- Identify and isolate any endpoints with detected file hashes.
24h:
- Conduct identity verification for users who may have interacted with the Meta Business phishing emails.
- Force rotation of API tokens and developer credentials for environments where the typosquatted packages may have been installed.
1 Week:
- Review and enforce software supply chain security policies (e.g., require package pinning, private registries).
- Implement email filtering rules to detect similar structural abuses in business partner communications, not just sender reputation.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.