Back to Intelligence

Supply Chain Swarm: Lumma, Vidar & OtterCookie Infostealers via Poisoned GitHub/NuGet Packages

SA
Security Arsenal Team
May 13, 2026
5 min read

Current OTX Pulse data indicates a coordinated surge in supply chain attacks targeting developers and software supply chains. Adversaries, including the operator "TroyDen" and the North Korean-linked group "FAMOUS CHOLLIMA", are weaponizing open-source repositories (GitHub, NuGet, npm) to distribute complex infostealer payloads. The campaigns utilize AI-generated lure names, typosquatting of popular libraries (e.g., Chinese UI libraries, big.js), and social engineering around recent high-profile leaks (Claude Code) to trick users into executing malware. The primary objective is credential harvesting (browser, crypto, SSH keys) and initial access for subsequent ransomware deployment (The Gentlemen).

Threat Actor / Malware Profile

  • TroyDen (Lure Factory):
    • Malware: LuaJIT, Redline, LummaStealer.
    • Distribution: GitHub repositories utilizing AI-generated biological taxonomy names to entice developers and gamers.
    • Technique: Two-component payload design; uses Prometheus Obfuscator.
  • FAMOUS CHOLLIMA (Lazarus Group):
    • Malware: OtterCookie, BeaverTail, InvisibleFerret.
    • Distribution: Malicious npm packages employing a "benign wrapper" strategy. Legitimate libraries (like big.js) are cloned, while malicious dependencies pull the payload.
    • Technique: Dependency confusion; targets developers via "contagious interview" lures.
  • Unknown Actors (Opportunistic):
    • Malware: Vidar (v18.7), GhostSocks, TradeDownloader, Quantum, ArrowRAT.
    • Distribution: Trojanized NuGet packages (typosquatting Chinese UI libs) and fake GitHub repos claiming to contain leaked Claude Code.
    • Technique: .NET Reactor obfuscation; DLL sideloading (TukTuk framework).
  • Ransomware Linkage:
    • Activity involving EtherRAT and TukTuk C2 frameworks has been observed leading to "The Gentlemen" ransomware deployment, utilizing CVE-2025-55182 for initial access.

IOC Analysis

The provided indicators of compromise (IOCs) span infrastructure, file artifacts, and network destinations:

  • Infrastructure (IPv4): Multiple C2 IPs observed (e.g., 89.169.12.241, 213.176.73.80, 94.156.154.6). These should be blocked immediately at perimeter firewalls.
  • Domains & URLs: C2 domains such as dns-providersa2.com and g8way.io are used for payload staging and configuration updates. The use of Cloudflare tunnels (trycloudflare.com) was noted in ransomware precursor activity.
  • File Hashes: A mix of MD5, SHA1, and SHA256 hashes for malicious MSI installers, .NET payloads, and LuaJIT compiled scripts.
  • Operationalization: SOC teams should import these hashes into EDR solutions for immediate scanning. Network logs (NetFlow/DNS) should be queried for the listed domains and IPs to identify potential beaconing.

Detection Engineering

YAML
title: Suspicious Package Manager Child Process Creation
id: 48a1c6d4-8b9a-4f1d-9e3a-123456789abc
description: Detects suspicious child processes spawned by NuGet, npm, or GitHub CLI, often indicating supply chain malware execution.
status: experimental
date: 2026/05/13
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\nuget.exe'
      - '\npm.cmd'
      - '\node.exe'
      - '\git.exe'
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\wscript.exe'
      - '\cscript.exe'
  condition: selection
falsepositives:
  - Legitimate build scripts
level: high
---
title: Infostealer C2 Connection to Known Malicious Domains
id: 9b2e3f4a-1c5d-4e6f-9a8b-9876543210ab
description: Detects network connections to domains associated with Lumma, Vidar, and recent NuGet campaign C2 infrastructure.
status: experimental
date: 2026/05/13
author: Security Arsenal
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationHostname|contains:
      - 'dns-providersa2.com'
      - 'g8way.io'
      - 'trycloudflare.com'
    Initiated: 'true'
  condition: selection
falsepositives:
  - Rare (unlikely legitimate traffic)
level: critical
---
title: Trojanized MSI Installer Execution via LuaJIT
id: c3d4e5f6-7a8b-9c0d-1e2f-3a4b5c6d7e8f
description: Identifies execution of LuaJIT processes or unsigned MSI installers often used in TroyDen campaigns.
status: experimental
date: 2026/05/13
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection_msi:
    Image|endswith: '\msiexec.exe'
    CommandLine|contains: 'Temp'
    Signed: 'false'
  selection_luajit:
    Image|contains: 'luajit'
  condition: 1 of selection*
falsepositives:
  - Legitimate software installers
level: medium


kql
// Hunt for network connections to IOCs in DeviceNetworkEvents
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("dns-providersa2.com", "g8way.io", "cargomanbd.com") 
   or RemoteIP in ("89.169.12.241", "213.176.73.80", "213.176.73.130", "217.119.129.121", "217.119.129.76", "94.156.154.6", "213.176.73.159", "217.119.129.118", "147.45.197.92", "94.228.161.88")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort
| top 100 by Timestamp desc


powershell
# PowerShell Hunt Script: Check for active connections to Malicious IPs
$maliciousIPs = @(
    "89.169.12.241", "213.176.73.80", "213.176.73.130", "217.119.129.121",
    "217.119.129.76", "94.156.154.6", "213.176.73.159", "217.119.129.118",
    "147.45.197.92", "94.228.161.88"
)

Write-Host "Checking for active network connections to known C2 infrastructure..." -ForegroundColor Cyan

$connections = Get-NetTCPConnection -State Established | Where-Object { 
    $maliciousIPs -contains $_.RemoteAddress 
}

if ($connections) {
    Write-Host "[ALERT] Found active connections to malicious IPs:" -ForegroundColor Red
    foreach ($conn in $connections) {
        $process = Get-Process -Id $conn.OwningProcess -ErrorAction SilentlyContinue
        Write-Host "Local: $($conn.LocalAddress):$($conn.LocalPort) -> Remote: $($conn.RemoteAddress):$($conn.RemotePort) (PID: $($conn.OwningProcess) - Process: $($process.ProcessName))"
    }
} else {
    Write-Host "No active connections to malicious IPs detected." -ForegroundColor Green
}

Response Priorities

  • Immediate (0-4 hours):
    • Block all listed IPv4 addresses and domains at the perimeter and proxy level.
    • Quarantine endpoints matching the provided file hashes.
    • Kill processes connecting to dns-providersa2.com or g8way.io.
  • 24 Hours:
    • Initiate credential resets for developer accounts and any users who may have interacted with the trojanized NuGet/npm packages or GitHub repositories.
    • Rotate SSH keys and tokens stored on affected development machines.
  • 1 Week:
    • Implement strict package management policies (e.g., require signed packages for internal NuGet/npm feeds).
    • Enable application allowlisting for build agents to prevent execution of unauthorized unsigned binaries like LuaJIT in dev contexts.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealersupply-chain-attackvidarlumma-stealernpm-malware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action