<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
  <title>Atomdrift Discoveries</title>
  <link href="https://atomdrift.org/discoveries/feed.xml" rel="self"/>
  <link href="https://atomdrift.org/discoveries/"/>
  <id>https://atomdrift.org/discoveries/</id>
  <updated>2026-06-21T00:00:00Z</updated>
  <entry>
    <title>db-xorma: malware laundered through legit npm packages</title>
    <link href="https://atomdrift.org/discoveries/2026/06/db-xorma-laundry-everywhere/"/>
    <id>https://atomdrift.org/discoveries/2026/06/db-xorma-laundry-everywhere/</id>
    <updated>2026-06-21T00:00:00Z</updated>
    <summary>db-xorma&#39;s tarball carries no payload — just a clone of a real ORM whose one bolted-on method launders the attack through a real installer and a second cloned package, pulling the obfuscated BeaverTail loader from a paste host at runtime.</summary>
  </entry>
  <entry>
    <title>surf: BYO-Interpreter — a faked Go library hides a LuaJIT payload</title>
    <link href="https://atomdrift.org/discoveries/2026/06/surf-byo-interpreter/"/>
    <id>https://atomdrift.org/discoveries/2026/06/surf-byo-interpreter/</id>
    <updated>2026-06-13T00:00:00Z</updated>
    <summary>The real surf is a browser-impersonating Go library you import; the clone forgot to rename its module, turned its README into a Download button, and hides a LuaJIT screenshot-stealer in a 309 KB line of obfuscated text.</summary>
  </entry>
  <entry>
    <title>@sqlite-node/createsql: the DPRK&#39;s npm quota, fulfilled via GitHub Gist</title>
    <link href="https://atomdrift.org/discoveries/2026/06/sqlite-node-createsql-dprk-gist/"/>
    <id>https://atomdrift.org/discoveries/2026/06/sqlite-node-createsql-dprk-gist/</id>
    <updated>2026-06-13T00:00:00Z</updated>
    <summary>The 707-byte package ships nothing but a fetch-and-eval; four hops later the same BeaverTail-to-InvisibleFerret kit from three prior finds is back on a brand-new IP, running a node-pty shell and hunting wallet seed phrases.</summary>
  </entry>
  <entry>
    <title>onering: a crate that leaks unreleased source</title>
    <link href="https://atomdrift.org/discoveries/2026/06/onering-source-leak/"/>
    <id>https://atomdrift.org/discoveries/2026/06/onering-source-leak/</id>
    <updated>2026-06-10T00:00:00Z</updated>
    <summary>The poison runs in your repo, not the library&#39;s — cargo&#39;s build dir leads build.rs to the consuming project&#39;s git tree, where it scrapes the latest commit&#39;s author, email and full patch, then POSTs it as a routine Sentry crash report.</summary>
  </entry>
  <entry>
    <title>v018-axios-cdntest: C is for cookie, not cryptojacking</title>
    <link href="https://atomdrift.org/discoveries/2026/06/v018-axios-cdntest-c-is-for-cookie/"/>
    <id>https://atomdrift.org/discoveries/2026/06/v018-axios-cdntest-c-is-for-cookie/</id>
    <updated>2026-06-09T00:00:00Z</updated>
    <summary>It ships a self-described &#39;cryptojacker payload&#39; that POSTs shares to a stratum port over XHR and mines exactly nothing — yet the cookie stealer bolted onto real axios works fine, and the README reads like a startup pitch deck.</summary>
  </entry>
  <entry>
    <title>path-internal-util: don&#39;t chase the URL, catch the shape</title>
    <link href="https://atomdrift.org/discoveries/2026/06/path-internal-util-trojanized-path-remote-eval/"/>
    <id>https://atomdrift.org/discoveries/2026/06/path-internal-util-trojanized-path-remote-eval/</id>
    <updated>2026-06-09T00:00:00Z</updated>
    <summary>It&#39;s the real Joyent path module, verbatim, plus three lines that fetch a jsonkeeper paste and eval it — pull that thread and it unrolls into a live DPRK BeaverTail loader and a socket.io RAT.</summary>
  </entry>
  <entry>
    <title>express-timer: an npm &#39;security helper&#39; that self-destructs your src/</title>
    <link href="https://atomdrift.org/discoveries/2026/06/express-timer-self-destruct-wiper/"/>
    <id>https://atomdrift.org/discoveries/2026/06/express-timer-self-destruct-wiper/</id>
    <updated>2026-06-09T00:00:00Z</updated>
    <summary>Most malicious npm packages steal; this one just deletes your source tree a minute after you install it — and its author fumbled their own online-banking password into the very same tarball.</summary>
  </entry>
  <entry>
    <title>awaitly-visualizer: The miasma continues to floweth — a binding.gyp Bun worm</title>
    <link href="https://atomdrift.org/discoveries/2026/06/awaitly-visualizer-miasma-floweth/"/>
    <id>https://atomdrift.org/discoveries/2026/06/awaitly-visualizer-miasma-floweth/</id>
    <updated>2026-06-04T00:00:00Z</updated>
    <summary>No install hook to flag — npm auto-builds the binding.gyp it ships, which fetches its own Bun runtime to run a credential-harvesting worm outside node&#39;s view, forge Sigstore provenance, and republish the maintainer&#39;s other packages.</summary>
  </entry>
  <entry>
    <title>spadata: Gimme all your Roblox — the PyPI DataStore lib that isn&#39;t</title>
    <link href="https://atomdrift.org/discoveries/2026/06/spadata-roblox-cookie-stickup/"/>
    <id>https://atomdrift.org/discoveries/2026/06/spadata-roblox-cookie-stickup/</id>
    <updated>2026-06-03T00:00:00Z</updated>
    <summary>It promises a Roblox DataStore library and ships none of it — just an __init__.py that, on import, DPAPI-decrypts your Roblox session cookie and posts the cleartext to a Discord webhook; the README can&#39;t even spell its own name.</summary>
  </entry>
  <entry>
    <title>sourceflow-tracker: I Has a Bucket — npm fetches its payload from GCS</title>
    <link href="https://atomdrift.org/discoveries/2026/06/sourceflow-tracker-gcs-bucket-recon-beacon/"/>
    <id>https://atomdrift.org/discoveries/2026/06/sourceflow-tracker-gcs-bucket-recon-beacon/</id>
    <updated>2026-06-02T00:00:00Z</updated>
    <summary>A 379-byte package whose only load-bearing content is a dependency version string pointing into a Google Cloud Storage bucket — so npm itself downloads and detonates the payload, and the registry never holds a copy to scan.</summary>
  </entry>
  <entry>
    <title>clx-cookieparser: a cookie-parser clone whose evil twin is North Korean</title>
    <link href="https://atomdrift.org/discoveries/2026/05/clx-cookieparser-dependency-twin-beavertail/"/>
    <id>https://atomdrift.org/discoveries/2026/05/clx-cookieparser-dependency-twin-beavertail/</id>
    <updated>2026-05-28T00:00:00Z</updated>
    <summary>The package you install is the real express cookie-parser, tests and all — the theft lives one require() away in a twin dependency that pulls the DPRK&#39;s BeaverTail-to-InvisibleFerret kit, run by the same crew as web-dotenv.</summary>
  </entry>
  <entry>
    <title>@polka-ui/config: a postinstall that announces itself, then drops Sliver</title>
    <link href="https://atomdrift.org/discoveries/2026/05/polka-ui-config-dependency-confusion-sliver/"/>
    <id>https://atomdrift.org/discoveries/2026/05/polka-ui-config-dependency-confusion-sliver/</id>
    <updated>2026-05-27T00:00:00Z</updated>
    <summary>It stamps its own payload &#39;authorized testing only,&#39; then — past the Russian comments — exfils every npmrc and env secret and drops a real Go Sliver implant beaconing to a Russian host; the PoC label is the alibi.</summary>
  </entry>
  <entry>
    <title>aes-decode-runner-pro: an &#39;AES demo&#39; that decrypts itself into a RAT</title>
    <link href="https://atomdrift.org/discoveries/2026/05/aes-decode-runner-pro-nuitka-stealer/"/>
    <id>https://atomdrift.org/discoveries/2026/05/aes-decode-runner-pro-nuitka-stealer/</id>
    <updated>2026-05-27T00:00:00Z</updated>
    <summary>A tutorial-shaped AES codec whose import decrypts its own hardcoded ciphertext, pulls a 6 MB payload from nvidiadriver.net, and unpacks the Winpatch RAT — which impersonates lsass.exe to lift Chrome&#39;s app-bound encryption keys.</summary>
  </entry>
  <entry>
    <title>web-dotenv: a dotenv clone, plus one function that robs you</title>
    <link href="https://atomdrift.org/discoveries/2026/05/web-dotenv-jsonkeeper-redirector/"/>
    <id>https://atomdrift.org/discoveries/2026/05/web-dotenv-jsonkeeper-redirector/</id>
    <updated>2026-05-26T00:00:00Z</updated>
    <summary>A near-perfect copy of dotenv — 50M downloads a week — with one function bolted into config(), so booting your app fetches a stealer that combs $HOME for wallets and keys and watches your clipboard on a 750 ms loop.</summary>
  </entry>
  <entry>
    <title>shop-minis: a Shopify-shaped canary that rats you out to Burp</title>
    <link href="https://atomdrift.org/discoveries/2026/05/shop-minis-burp-canary/"/>
    <id>https://atomdrift.org/discoveries/2026/05/shop-minis-burp-canary/</id>
    <updated>2026-05-26T00:00:00Z</updated>
    <summary>A 762-byte dependency-confusion probe wearing the name of Shopify&#39;s private Shop Minis package, that slurps your CI env vars and ships them out two ways at once — HTTPS and DNS — to a Burp Collaborator.</summary>
  </entry>
  <entry>
    <title>system-user-identifier-cli: an &#39;identity helper&#39; that just opens a reverse shell</title>
    <link href="https://atomdrift.org/discoveries/2026/05/system-user-identifier-cli/"/>
    <id>https://atomdrift.org/discoveries/2026/05/system-user-identifier-cli/</id>
    <updated>2026-05-25T00:00:00Z</updated>
    <summary>799 bytes, two files, and a name like a thousand throwaway npx tools — it really does check your user id, then drops a bash /dev/tcp reverse shell and calls home.</summary>
  </entry>
  <entry>
    <title>@devcarron/clob: api-rs-node&#39;s rough draft, same binary, same self-dox</title>
    <link href="https://atomdrift.org/discoveries/2026/05/devcarron-clob/"/>
    <id>https://atomdrift.org/discoveries/2026/05/devcarron-clob/</id>
    <updated>2026-05-25T00:00:00Z</updated>
    <summary>The same Windows implant as api-rs-node, shipped 5½ hours earlier under a copy-pasted sharp README its author forgot to re-title — and the bundled config files finger the same dev machine twice over.</summary>
  </entry>
  <entry>
    <title>api-rs-node: a fake Rust bridge that doxxed its own author</title>
    <link href="https://atomdrift.org/discoveries/2026/05/api-rs-node-clob-dropper/"/>
    <id>https://atomdrift.org/discoveries/2026/05/api-rs-node-clob-dropper/</id>
    <updated>2026-05-25T00:00:00Z</updated>
    <summary>A &#39;high-performance Rust bridge&#39; that&#39;s really a Windows dropper — IPFS payload, registry persistence, a beacon on port 2026 — whose author bundled their own config files and named the very machine they built it on.</summary>
  </entry>
</feed>
