{
    "type": "bundle",
    "id": "bundle--ee220ca6-4e9b-4ba5-878b-500f89bb1ec1",
    "objects": [
        {
            "type": "identity",
            "spec_version": "2.1",
            "id": "identity--a96f8bbb-0501-4026-a441-edfe31375afa",
            "created": "2025-12-03T00:51:50.222128Z",
            "modified": "2025-12-03T00:53:40.15867Z",
            "name": "OSM",
            "identity_class": "organization"
        },
        {
            "type": "domain-name",
            "spec_version": "2.1",
            "id": "domain-name--9915c9bf-525f-4f00-a266-524e57912f79",
            "value": "sfrclak.com"
        },
        {
            "type": "email-addr",
            "spec_version": "2.1",
            "id": "email-addr--80e7e8d8-7edf-47e2-af5e-d83f1479276b",
            "value": "ifstap@proton.me"
        },
        {
            "type": "email-addr",
            "spec_version": "2.1",
            "id": "email-addr--663d1619-80f7-43b5-87d1-12d1ccbfc38c",
            "value": "nrwise@proton.me"
        },
        {
            "type": "url",
            "spec_version": "2.1",
            "id": "url--15d803c1-f248-4623-af7b-f379f2a36962",
            "value": "http://sfrclak.com:8000/6202033"
        },
        {
            "type": "ipv4-addr",
            "spec_version": "2.1",
            "id": "ipv4-addr--794180bf-52c3-45df-bf94-6810144b7a2f",
            "value": "142.11.206.73"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--2b905277-29cf-422f-b57e-f66feec3f23b",
            "created": "2026-06-24T19:54:03.530606Z",
            "modified": "2026-06-24T19:54:03.530606Z",
            "name": "YARA Rule",
            "pattern": "rule plain_crypto_js_malware {\r\n    meta:\r\n        description = \"Detects plain-crypto-js malware setup.js\"\r\n        author = \"Security Research Team\"\r\n        date = \"2026-03-31\"\r\n        hash = \"MD5_OF_SETUP_JS\"\r\n        severity = \"critical\"\r\n\r\n    strings:\r\n        $obfuscation1 = \"_trans_1\" ascii\r\n        $obfuscation2 = \"_trans_2\" ascii\r\n        $c2_key = \"OrDeR_7077\" ascii\r\n        $c2_domain = \"sfrclak\" ascii nocase\r\n        $victim_id = \"6202033\" ascii\r\n        $package_marker = \"packages.npm.org/product\" ascii\r\n        $self_delete = \"fs.unlink(__filename\" ascii\r\n\r\n    condition:\r\n        5 of them\r\n}",
            "pattern_type": "yara",
            "valid_from": "2026-03-31T00:00:00Z"
        },
        {
            "type": "report",
            "spec_version": "2.1",
            "id": "report--f96c5283-8145-4823-9f58-7c33ecb01f1c",
            "created_by_ref": "identity--a96f8bbb-0501-4026-a441-edfe31375afa",
            "created": "2026-06-24T19:54:03.535573Z",
            "modified": "2026-06-24T19:54:03.535573Z",
            "name": "One of the most popular JavaScript packages on earth Axios has been compromised",
            "published": "2026-03-31T00:00:00Z",
            "object_refs": [
                "identity--a96f8bbb-0501-4026-a441-edfe31375afa",
                "domain-name--9915c9bf-525f-4f00-a266-524e57912f79",
                "email-addr--80e7e8d8-7edf-47e2-af5e-d83f1479276b",
                "email-addr--663d1619-80f7-43b5-87d1-12d1ccbfc38c",
                "url--15d803c1-f248-4623-af7b-f379f2a36962",
                "ipv4-addr--794180bf-52c3-45df-bf94-6810144b7a2f",
                "indicator--2b905277-29cf-422f-b57e-f66feec3f23b"
            ],
            "external_references": [
                {
                    "source_name": "source",
                    "url": "https://opensourcemalware.com/blog/axios-compromised"
                }
            ]
        }
    ]
}