Pluto SecurityPluto · Research
Last update · 2026-05-20
IOC dataset

Indicators of compromise

Two tables on this page. Indicators first - every domain, IP, hash, compromised package, payload filename, persistence artifact, MITRE technique, and CVE associated with the TeamPCP / UNC6780 campaign, in one searchable filterable list with CSV export. Actor profile second - the names and accounts behind the campaign, role-tagged so you can tell hijacked-victim from attacker-owned at a glance. Click any source chip to see which researcher published it. Defanged where appropriate.

← View the chain graph
133 IOCs
Category
Campaign / wave
Source
CategoryValueDetailCampaignSources
Domainscan.aquasecurtiy[.]orgC2Trivy (Mar 19)
ramimacugurratesUnit 42
Domaincheckmarx[.]zoneC2LiteLLM (Mar 24)
ramimacugurrates
Domaincheckmarx[.]zone/vsxC2 pathMulti-wave / shared
ramimac
Domaincheckmarx[.]zone/static/checkmarx-util-1.0.4.tgzsecond-stage payloadCheckmarx (Mar 23)
ugurrates
Domaincheckmarx[.]zone/rawpersistence pollingLiteLLM (Mar 24)
ugurrates
Domainmodels.litellm[.]cloudC2LiteLLM (Mar 24)
Unit 42ugurrates
Domaintdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0[.]ioICP canister dead-drop C2CanisterWorm (Mar 20)
Unit 42ugurrates
Domaincheck.git-service[.]comC2 (primary)@antv mass-republish (May 18-19)
Wiz
Domaint.m-kosche[.]comC2 (backup)@antv mass-republish (May 18-19)
Wizramimac
Domaingit-tanstack[.]comC2 (typosquat)Multi-wave / shared
ramimac
Domainnsa[.]catattacker VPSOperator infrastructure
ramimac
Domainrecv.hackmoltrepeat[.]comPAT exfil endpointTrivy (Mar 19)
OSM
Domainaudit.checkmarx[.]cx/v1/telemetryC2 endpointBitwarden CLI (Apr 23)
Socket
IP83.142.209.11C2 serverCheckmarx (Mar 23)
ugurrates
IP45.148.10.212C2 serverTrivy (Mar 19)
ugurrates
IP83.142.209.194legacy C2DurableTask (May 18)
Wiz
IP83.142.209.203:8080C2 (plain HTTP)Telnyx (Mar 27)
Socket
IP94.154.172.43C2 IPBitwarden CLI (Apr 23)
Socket
Cloudflare tunnelchampionships-peoples-point-cassette.trycloudflare[.]comC2 tunnel URLTeamPCP operator infra
Unit 42
Cloudflare tunnelcreate-sensitivity-grad-sequence.trycloudflare[.]comC2 tunnel URLTeamPCP operator infra
Unit 42
Cloudflare tunnelinvestigation-launches-hearings-copying.trycloudflare[.]comC2 tunnel URLTeamPCP operator infra
Unit 42
Cloudflare tunnelplug-tab-protective-relay.trycloudflare[.]comC2 tunnel URLTeamPCP operator infra
Unit 42
Cloudflare tunnelsouls-entire-defined-routes.trycloudflare[.]comC2 tunnel URLTeamPCP operator infra
Unit 42
SHA-25618a24f83e807479438dcab7a1804c51a00dafc1d526698a66e0640d1e5dd671aTrivy malicious entrypoint.sh stealerTrivy (Mar 19)
Phoenix Security
SHA-256c37c0ae9641d2e5329fcdee847a756bf1140fdb7f0b7c78a40fdc39055e7d926CanisterWorm Wave 4 (final form)CanisterWorm (Mar 20)
Aikido
SHA-2560c0d206d5e68c0cf64d57ffa8bc5b1dad54f2dda52f24e96e02e237498cb9c3aCanisterWorm Wave 3 (self-propagating test)CanisterWorm (Mar 20)
Aikido
SHA-25661ff00a81b19624adaad425b9129ba2f312f4ab76fb5ddc2c628a5037d31a4baCanisterWorm Wave 2 (armed ICP backdoor)ICP fallback C2 (Mar 22)
Aikido
SHA-256f398f06eefcd3558c38820a397e3193856e4e6e7c67f81ecc8e533275284b152CanisterWorm Wave 1 deploy.jsCanisterWorm (Mar 20)
Aikido
SHA-2567df6cef7ab9aae2ea08f2f872f6456b5d51d896ddda907a238cd6668ccdc4bb7CanisterWorm Wave 2 deploy.jsCanisterWorm (Mar 20)
Aikido
SHA-2565e2ba7c4c53fa6e0cef58011acdd50682cf83fb7b989712d2fcf1b5173bad956CanisterWorm Wave 3+ deploy.js minifiedCanisterWorm (Mar 20)
Aikido
SHA-256e9b1e069efc778c1e77fb3f5fcc3bd3580bbc810604cbf4347897ddb4b8c163bCanisterWorm Wave 1 index.js (dry run, empty payload, manual deployment)CanisterWorm (Mar 20)
Aikido
SHA-256069ac1dc7f7649b76bc72a11ac700f373804bfd81dab7e561157b703999f44cedurabletask rope.pyzDurableTask (May 18)
Wiz
SHA-2567d80b3ef74ad7992b93c31966962612e4e2ceb93e7727cdbd1d2a9af47d44ba8durabletask-1.4.1-py3-none-any.whlDurableTask (May 18)
Wiz
SHA-256aeaf583e20347bf850e2fabdcd6f4982996ba023f8c2cd56bbd299cfd56516f5durabletask-1.4.2-py3-none-any.whlDurableTask (May 18)
Wiz
SHA-256877ff2531a63393c4cb9c3c86908b62d9c4fc3db971bc231c48537faae6cb3ecdurabletask-1.4.3-py3-none-any.whlDurableTask (May 18)
Wiz
SHA-2564066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34Mini Shai-Hulud setup.mjs loader (byte-identical across SAP CAP packages)SAP CAP (Apr 29)
OSM
SHA-25680a3d2877813968ef847ae73b5eeeb70b9435254e74d7f07d8cf4057f0a710acMini Shai-Hulud execution.js shipped with mbt@1.2.48SAP CAP (Apr 29)
OSM
SHA-2566f933d00b7d05678eb43c90963a80b8947c4ae6830182f89df31da9f568fea95Mini Shai-Hulud execution.js shipped with @cap-js/sqlite@2.2.2SAP CAP (Apr 29)
OSM
SHA-25672c08e044dd427964bc14339f95838e3d45f51f6a586330c683fbb59ea374b1dPureHVNC oqqqqoa.mp3 PowerShell loader (36,748-line obfuscated, MP3 masquerade)PureHVNC (Mar 31)
OSM
SHA-256eb6eb4154b03ec73218727dc643d26f4e14dfda2438112926bb5daf37ae8bcdbMini Shai-Hulud execution.js third variant (SAP CAP wave)SAP CAP (Apr 29)
Socket
SHA-25635baf8316645372eea40b91d48acb067Mini Shai-Hulud setup.mjs (MD5; complements the OSM-contributed SHA-256)Multi-wave / shared
Socket
SHA-25629ac906c8bd801dfe1cb39596197df49f80fff2270b3e7fbab52278c24e4f1a7Mini Shai-Hulud SAP CAP embedded /proc/mem credential dumperSAP CAP (Apr 29)
Snyk
SHA-256a68dd1e6a6e35ec3771e1f94fe796f55dfe65a2b94560516ff4ac189390dfa1cMini Shai-Hulud @antv payload@antv mass-republish (May 18-19)
Snyk
SHA-25671e35aef03099cd1f2d6446734273025a163597de93912df321ef118bf135238LiteLLM Stage 1 litellm_init.pthLiteLLM (Mar 24)
Snyk
SHA-256a0d229be8efcb2f9135e2ad55ba275b76ddcfeb55fa4370e0a522a5bdee0120bLiteLLM Stage 2 proxy_server.pyLiteLLM (Mar 24)
Snyk
SHA-2566cf223aea68b0e8031ff68251e30b6017a0513fe152e235c26f248ba1e15c92aLiteLLM Stage 3 sysmon.py persistenceLiteLLM (Mar 24)
Snyk
Malware familySANDCLOCKcredential stealer - formal malware-family designation for TeamPCP's credential stealer - the 204-line entrypoint.sh that self-identifies as 'TeamPCP Cloud stealer'Multi-wave / shared
Google GTIG
Malware familyCanisterWormself-propagating npm worm - 4 distinct waves over the March 2026 campaign; first npm malware to use an ICP blockchain canister for C2ICP fallback C2 (Mar 22)
Aikidosometimes used interchangeably with the actor in press)
Malware familyMini Shai-Huludself-propagating npm worm - First wave Apr 29 (SAP CAP, 4 packages). Expanded to 170+ packages across 19 npm namespaces + 2 PyPI by May 13. Uses .vscode/tasks.json folderOpen primitive borrowed from DPRK-aligned PolinRider/TasksJacker. Bun runtime as LOLBin. Exfil via Session P2P messaging network.Mini Shai-Hulud (May 13)
Self-named by TeamPCPSnyk
Malware familyPureHVNC RATremote access trojan - Suspected TeamPCP pivot. MP3-masquerade PowerShell loader → multi-stage drop → hidden VNC. Attribution: hypothesized only (audio-file tradecraft match with Telnyx WAV stego).Telnyx (Mar 27)
pre-existing commercial RAT familyOSM
Compromised package47+ packages in @emilgroup, @opengov, @v7 namespacesnpmCanisterWorm (Mar 20)
AikidoOSMugurrates
Compromised package@teale.io/eslint-config v1.8.11, v1.8.12npmCanisterWorm self-propagating variant (Mar 21)
Aikido
Compromised package323 packages in @antv ecosystemnpm@antv mass-republish (May 18-19)
SnykOX Securityramimac
Compromised package42 @tanstack/* packages with 84 malicious versionsnpmMini Shai-Hulud TanStack (May 11)
ThreatLockerStepSecurity
Compromised packageBitwarden CLI @bitwarden/cli@2026.4.0npmMini Shai-Hulud 'Third Coming' (Apr 23)
OSMSocket
Compromised packageMistral AI npm packagesnpmMini Shai-Hulud wave victim
ramimac
Compromised packagelitellm v1.82.7, v1.82.8pypiLiteLLM (Mar 24)
Unit 42SnykEndor Labs
Compromised packagetelnyx v4.87.1, v4.87.2pypiTelnyx (Mar 27)
Socketramimac
Compromised packageguardrails-ai v0.10.1pypi - Key A RSA payloadguardrails-ai (Apr-May)
Wiz
Compromised packagedurabletask v1.4.1, v1.4.2, v1.4.3pypi - Key B RSA payloaddurabletask (May 18)
Wiz
Compromised packagemistralai v2.4.6pypiPyPI Mini Shai-Hulud
ramimac
Compromised packageaquasecurity/trivy-actiongithub_actions - 75 of 76 tags per ugurrates / 76 of 77 per SANS - inventory deltaTrivy (Mar 19)
ugurratesSANS
Compromised packageaquasecurity/setup-trivygithub_actions - all 7 tagsTrivy (Mar 19)
ugurratesSANS
Compromised packageCheckmarx/kics-github-actiongithub_actions - all 35 tagsKICS (Mar 23)
Sysdigramimac
Compromised packageCheckmarx/ast-github-actiongithub_actions - v2.3.28 confirmed, likely allCheckmarx ast (Mar 23)
Sysdig
Compromised packagedocker.io/aquasec/trivy: 0.69.4, 0.69.5, 0.69.6container_imagesTrivy (Mar 19)
Socketramimac
Compromised packageghcr.io/aquasecurity/trivy: 0.69.4, 0.69.5, 0.69.6container_imagesTrivy (Mar 19)
Socketramimac
Compromised packagepublic.ecr.aws/aquasecurity/trivy: 0.69.4, 0.69.5, 0.69.6container_imagesTrivy (Mar 19)
Socketramimac
Compromised packagecheckmarx.ast-results v2.53.0openvsx_extensions - safe: >=2.56.0Checkmarx OpenVSX (Mar 23)
ugurratesCSA
Compromised packagecheckmarx.cx-dev-assist v1.7.0openvsx_extensions - safe: >=1.10.0Checkmarx OpenVSX (Mar 23)
ugurratesCSA
Compromised packageUnnamed extension (initial-access vector for May 20 GitHub breach)vs_code_marketplace - GitHub disclosure did not name the extensionGitHub internal breach (May 20)
The Hacker NewsCoinfomania
Compromised packageNx Consolevs_code_marketplace - referenced as compromised; details thinGitHub-adjacent (May 20)
The Hacker News
Payload filenamelitellm_init.pthStage 1 orchestratorLiteLLM (Mar 24)
Snyk
Payload filenameproxy_server.pyStage 2 collectorLiteLLM (Mar 24)
Snyk
Payload filenamesysmon.pyStage 3 persistenceLiteLLM (Mar 24)
Snyk
Payload filenamehangup.wavWindows steganography deliveryTelnyx (Mar 27)
Socketramimac
Payload filenameringtone.wavLinux/macOS steganography deliveryTelnyx (Mar 27)
Socketramimac
Payload filenamemsbuild.exeWindows persistence dropperTelnyx (Mar 27)
Socketramimac
Payload filenameentrypoint.shTrivy stealer, 204 lines, self-identifies as 'TeamPCP Cloud stealer' (formally SANDCLOCK)Trivy (Mar 19)
Phoenix SecurityramimacUnit 42
Payload filenametpcp.tar.gzencrypted exfil archiveTrivy → Telnyx cascade
ugurratesUnit 42
Payload filenamekamikaze.shIran wiper containerCanisterWorm Iran variant (Mar 22)
AikidoUnit 42
Payload filenamekube.pyK8s reconnaissance / wiper helperCanisterWorm
Aikido
Payload filenameprop.pyatool/prop maintainer-account loader script@antv mass-republish (May 18-19)
SnykOX Security
Payload filename/tmp/pglogCanisterWorm dropper binaryCanisterWorm (Mar 20)
Aikido
Payload filename/tmp/managed.pyzdurabletask staged Python archivedurabletask (May 18)
Wiz
Payload filename/tmp/rope-*.pyzdurabletask staged Python archive (rope.pyz family)durabletask (May 18)
Wiz
Payload filenamemonitor.jsNOTE: this is GhostClaw, NOT TeamPCP - exclude from TeamPCP detectionGhostClaw (false positive)
JFrog
Payload filenamesetup.mjsMini Shai-Hulud preinstall loader; downloads Bun then runs execution.jsMini Shai-Hulud
OSMSnykSocket
Payload filenameexecution.jsMini Shai-Hulud SAP CAP wave 11.6 MB obfuscated stageMini Shai-Hulud SAP CAP (Apr 29)
OSMSnykSocket
Payload filenametanstack_runner.jsMini Shai-Hulud TanStack/OpenSearch wave Bun stageMini Shai-Hulud TanStack (May 11)
StepSecurityThreatLocker
Payload filenamerouter_init.jsMini Shai-Hulud TanStack wave 2.3 MB obfuscated stageMini Shai-Hulud TanStack (May 11)
StepSecurityThreatLocker
Payload filenameoqqqqoa.mp3PureHVNC PowerShell loader masquerading as MP3 (36,748-line obfuscated)PureHVNC pivot (Mar 31)
OSM
Persistence artifact~/.config/sysmon/backdoor directoryLiteLLM / Trivy era
Snykramimac
Persistence artifact~/.config/sysmon.pyStage-3 persistence scriptLiteLLM (Mar 24)
Snyk
Persistence artifact~/.config/systemd/user/sysmon.servicesystemd user-mode persistence unitLiteLLM (Mar 24)
Snyk
Persistence artifact~/.config/systemd/user/pgmon.servicePostgreSQL masquerade systemd unitCanisterWorm (Mar 20)
Aikido
Persistence artifact/tmp/pglog, /tmp/.pg_stateCanisterWorm dropper + state filesCanisterWorm (Mar 20)
Aikido
Persistence artifact~/.cache/.sys-update-check, ~/.cache/.sys-update-check-k8sdurabletask persistence markersdurabletask (May 18)
Wiz
Persistence artifact.claude/ directoryMini Shai-Hulud Claude Code workspace plantMini Shai-Hulud
StepSecuritySnyk
Persistence artifact.vscode/ directoryMini Shai-Hulud VS Code workspace plantMini Shai-Hulud
StepSecuritySnyk
Persistence artifactLaunchAgent services on macOSMini Shai-Hulud macOS persistenceMini Shai-Hulud
Snyk
Persistence artifact.vscode/tasks.json with `runOn: folderOpen`Mini Shai-Hulud; primitive borrowed from DPRK PolinRider/TasksJackerMini Shai-Hulud
SnykStepSecurity
Persistence artifact.claude/settings.json with SessionStart hookMini Shai-Hulud; novel addition over PolinRider - fires when Claude Code attaches to workspaceMini Shai-Hulud
Snyk
Persistence artifact.claude/execution.js / .claude/router_runtime.js / .claude/setup.mjsMini Shai-Hulud Claude-folder payload tripletMini Shai-Hulud
SnykStepSecurity
Persistence artifact.vscode/setup.mjsMini Shai-Hulud VS Code payloadMini Shai-Hulud
SnykStepSecurity
Persistence artifact.github/workflows/* injected via GraphQL createCommitOnBranch with spoofed author `claude@users.noreply.github.com`Mini Shai-Hulud TanStack wave commit-injection persistenceMini Shai-Hulud TanStack (May 11)
StepSecuritySnyk
Persistence artifacthidden VNC serverPureHVNC RAT GUI access channelPureHVNC pivot (Mar 31)
OSM
Exfil repotpcp-docsTrivy wave fallback dead-dropTrivy (Mar 19)
ramimacugurrates
Exfil repodocs-tpcpCheckmarx wave fallback dead-dropCheckmarx (Mar 23)
ramimac
Exfil repoHackingLZ/litellm_1.82.8_payloadGitHub dead-drop with full malicious payloadLiteLLM (Mar 24)
ramimacSnyk
Exfil repoHackingLZ/telnyx_4.87.1_payloadGitHub dead-drop with full malicious payloadTelnyx (Mar 27)
ramimacSocket
Exfil reponxb1t/litellm-1.82.7_sampleGitHub dead-drop sample copyLiteLLM (Mar 24)
ramimac
Orphaned commit1885610cOrphaned (non-merged) commit on the Trivy repository associated with the Feb 27 PwnRequest staging - useful for forensic searches across forksTrivy PwnRequest (Feb 27)
ramimac
Orphaned commit70379aadOrphaned (non-merged) commit on the Trivy repository associated with the Feb 27 PwnRequest staging - useful for forensic searches across forksTrivy PwnRequest (Feb 27)
ramimac
MITRE ATT&CKT1195.002Supply Chain Compromise: Software Dependencies - GitHub Actions tag poisoning, OpenVSX, npm, PyPIMITRE ATT&CK mapping
Unit 42
MITRE ATT&CKT1552.005Unsecured Credentials: Cloud Instance Metadata API - AWS IMDS theft from CI runnersMITRE ATT&CK mapping
Unit 42Wiz
MITRE ATT&CKT1555Credentials from Password Stores - Filesystem credential sweep (50+ paths)MITRE ATT&CK mapping
Unit 42
MITRE ATT&CKT1003OS Credential Dumping - Runner.Worker /proc/<pid>/mem scrapingMITRE ATT&CK mapping
ThreatLockerSnyk
MITRE ATT&CKT1041Exfiltration Over C2 Channel - Encrypted tpcp.tar.gz to typosquat domainsMITRE ATT&CK mapping
Unit 42ugurrates
MITRE ATT&CKT1102Web Service - ICP canister dead-drop C2MITRE ATT&CK mapping
Unit 42Aikido
MITRE ATT&CKT1543.002Systemd Service - pgmon.service, sysmon.service persistenceMITRE ATT&CK mapping
AikidoSnyk
MITRE ATT&CKT1105Ingress Tool Transfer - checkmarx-util-1.0.4.tgz downloadMITRE ATT&CK mapping
ugurrates
MITRE ATT&CKT1583.001Acquire Infrastructure: Domains - Per-wave typosquat domainsMITRE ATT&CK mapping
Unit 42ramimac
MITRE ATT&CKT1546.018Event Triggered Execution: Python Initialization - litellm_init.pth (CPython startup hijack)MITRE ATT&CK mapping
Snyk
CVE / advisoryCVE-2026-33634CVSS 9.4 - Trivy supply chain compromise (the most impactful CI/CD attack of 2026 so far per ugurrates). Listed in CISA KEV with April 8 federal remediation deadline. Sources: CISA KEV catalog; ugurrates community timeline; SANS ISC Update 007.CVE / advisory
CISA KEV catalogugurratesSANS ISC
CVE / advisoryCVE-2026-45321CVSS 9.6 - TanStack supply chain compromise via pull_request_target / OIDC theft. Source: ThreatLocker May 11 attack-chain analysis + NVD.CVE / advisory
ThreatLocker
CVE / advisoryCVE-2025-55182React2Shell campaign (Dec 2025 precursor; chained backward by ramimac + Unit42 timelines).CVE / advisory-
FP filtersetup.sh (filename)too generic; legitimate uses: Ansible, Bitnami, Claude Code plugin cacheDefender utility (FP filter)
ugurrates
FP filterservice.py (filename)too generic; legitimate uses: Ansible module_utils, K8sDefender utility (FP filter)
ugurrates
FP filterdeploy.js (filename)too generic; standard npm/node fileDefender utility (FP filter)
ugurrates
FP filter169.254.169.254 (IMDS IP)legitimate monitoring tools also hit this (FortiMonitor, Oracle AHF)Defender utility (FP filter)
ugurrates
FP filtericp0.io (parent domain)too broad; catches legitimate ICP traffic - filter on the specific canister ID insteadDefender utility (FP filter)
ugurratesAikido
FP filterhooks.slack.com / discord.com/api/webhookslegitimate integrations; correlate with payload behavior before alertingDefender utility (FP filter)
ugurrates
Actor profile

Names and accounts

Identity intelligence on the TeamPCP / UNC6780 operator: the names they go by (and who coined each one), the accounts they own, the accounts they created as sock-puppets, the legitimate accounts they hijacked, and the identities they impersonate. Each role implies a different response - rotate (hijacked), block / report (sock-puppet), monitor (actor-owned), harden author-verification (impersonation).

25 entries
Kind
Role / designation
IdentifierKindRole / designationPlatform / designatorDetail
TeamPCPNameSelf-named-Primary self-chosen name. Appears in their own forum posts, the git-tanstack.com defacement page ("With Love TeamPCP"), and the 'TeamPCP Cloud stealer' payload self-identifier string. Catalogued by ramimac + Unit42 + every vendor write-up.
UNC6780NameVendor-designatedGoogle Threat Intelligence Group (GTIG)UNC = uncategorized cluster designation; financial-motivation assessment. The vendor-canonical cluster label used in Mandiant + GTIG reporting.
PCPcatNameSelf-named-Informal self-reference; explains the "play around with the cats" line in @xploitrsturtle2's May 20 X post. Catalogued by ramimac.
ShellForceNameSelf-named-Self-chosen alias used in operator communications. Catalogued by ramimac + Unit42.
CipherForceNameSelf-named-Self-chosen alias; also the name of a coalition group announced late March 2026 on BreachForums. Catalogued by ramimac + Unit42.
DeadCatx3NameSelf-named-Self-chosen alias used in operator communications. Catalogued by ramimac + Unit42.
@Persy_PCPHandleActor-ownedTelegramPrimary operator-facing Telegram handle. Linked-to from LAPSUS$ Telegram channel (per OSM 2026-03-26). Catalogued by ramimac + Unit42.
@teampcpHandleActor-ownedTelegramGroup-name Telegram handle alongside @Persy_PCP. Catalogued by ramimac + Unit42.
Team_PCPHandleActor-ownedTelegramUnderscore-form Telegram identifier; previously operated as 'Black Witch / PCP' before renaming (per Okta 2026-05-18).
Black Witch / PCPHandleActor-ownedTelegram (historical)Prior Telegram identifier for the group before the 'Team_PCP' rename - useful for forensic searches in older threat-intel archives (per Okta 2026-05-18).
@xploitrsturtle2HandleActor-ownedX (Twitter)TeamPCP statement channel during GitHub breach (May 20). Catalogued by The Hacker News + Coinfomania.
@xpl0itrsHandleActor-ownedX (Twitter)Second TeamPCP-linked X account, recent posts around the GitHub breach including stated intent to donate proceeds to charity. Catalogued by The Hacker News.
MegaGame10418HandleAttacker sock-puppetGitHubAttacker-created GitHub account that opened the Feb 27 PwnRequest against Trivy (PR #10252). Catalogued by ramimac + ugurrates.
hackerbot-clawHandleAttacker sock-puppetGitHubAttacker-created automated scanner account used for Feb 20 reconnaissance against ~5 candidate target repos. Catalogued by ARMO + ramimac.
ast-phoenixHandleHijacked accountOpenVSXCompromised Checkmarx publisher account on OpenVSX. Used to publish poisoned ast-results extension (per ugurrates + CSA).
cx-plugins-releasesHandleHijacked accountGitHubCompromised Checkmarx publisher account on GitHub. Used to push kics-github-action tag updates (per Sysdig TRT + ramimac).
aqua-botHandleHijacked accountGitHubCompromised Aqua service account. PAT harvested during Feb 27 PwnRequest, used Mar 19 to push the malicious trivy-action and setup-trivy tags (per ramimac + ugurrates + SANS).
atoolHandleHijacked accountnpmMaintainer account hijacked in May 18-19 mass-republish wave; publishes 547 packages including full AntV suite; 318 packages republished by attacker (per OX + Snyk).
propHandleHijacked accountnpmSecond hijacked maintainer account in same May 18-19 wave; 6 packages including openclaw-cn family + @starmind/collector-cli (per OX + Snyk).
cloudmtabotHandleHijacked accountnpm (SAP)Legitimate SAP service account whose npm token was stolen to publish malicious mbt@1.2.48 in the Apr 29 SAP CAP wave (per Snyk + OSM).
Argon-DevOps-MgtHandleHijacked accountGitHub (Aqua)Aqua service-account token harvested from a Trivy CI runner during Mar 19 strike; used Mar 22 to deface aquasec-com org (per OSM forensic analysis).
agwagwagwaHandleHijacked accountGitHubCompromised GitHub account used as one of the vehicles for the May 12 open-source release of the Shai-Hulud worm code; submitted a FreeBSD-support PR (per OX 2026-05-12).
headdirtHandleHijacked accountGitHubCompromised GitHub account hosting open-source-release Shai-Hulud code; private profile (per OX 2026-05-12).
tmechenHandleHijacked accountGitHubCompromised GitHub account hosting open-source-release Shai-Hulud code; cat-themed profile picture - matches PCPcat alias / 'the cats' theme in May 20 X-account quote (per OX 2026-05-12).
dependabot[bot] (impersonation)HandleImpersonationgit commit authorSpoofed git commit author on injected persistence commits in SAP CAP wave; used alongside claude@users.noreply.github.com to disguise malicious commits as automated bot output (per Snyk 2026-04-29).

Note: this dataset is updated as new disclosures land. If an IOC you've seen elsewhere is missing, or you spot an attribution error, email support@pluto.security or reach Yotam Perkal ↗. Corrections welcome and credited.