{
	"id": "930c8532-615f-4ab5-8e26-11a6a51423d2",
	"created_at": "2026-04-06T00:07:02.21464Z",
	"updated_at": "2026-04-10T03:21:05.328695Z",
	"deleted_at": null,
	"sha1_hash": "21eb3dd4fec84da160b377858b22c87334952c22",
	"title": "Webhook Party — Malicious packages caught exfiltrating data via legit webhook services",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1153088,
	"plain_text": "Webhook Party — Malicious packages caught exfiltrating data via\r\nlegit webhook services\r\nBy Jossef Harush Kadouri\r\nPublished: 2022-03-07 · Archived: 2026-04-05 18:12:09 UTC\r\nPress enter or click to view image in full size\r\nCheckmarx Supply Chain Security (SCS) team (previously Dustico) has found several malicious packages\r\nattempting to use a dependency confusion attack. Those packages were detected by the team’s malicious package\r\ndetection system. Findings show all packages caught contained malicious payload which is using legitimate SaaS\r\nservices for data exfiltration. This behavior is part of an alarming trend we are seeing in recent attacks.\r\nhttps://medium.com/checkmarx-security/webhook-party-malicious-packages-caught-exfiltrating-data-via-legit-webhook-services-6e046b07d191\r\nPage 1 of 6\n\nDetails\r\nLet us start with the NPM packages ‘azureazure’ and ‘azure-sdk-v4’. Those two packages both include the\r\ndescription “azure whitehat package” but still collect sensitive system information and exfiltrate it to address\r\n“425a2.rt11[.]ml”. After some digging, we linked this address to the webhook service https://interactsh.com/\r\nwhich provides a simple and free way to implement endpoint to this kind of attack.\r\nPress enter or click to view image in full size\r\nUser interface of the ‘interactsh’ service — this is how the collected data is displayed to the attacker\r\nLooking more closely at the code, we encountered a few revealing comments that were enough to link the code in\r\nthis package to a tutorial explaining dependency confusion attacks and providing code snippets that can be used\r\nwhile implementing this technique.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/checkmarx-security/webhook-party-malicious-packages-caught-exfiltrating-data-via-legit-webhook-services-6e046b07d191\r\nPage 2 of 6\n\na tutorial explaining dependency confusion attacks and providing code snippets\r\nThe code in the packages we found closely resembled the code snippets in the tutorial other than the fact that the\r\nuploader decides to add two more functionalities to it:\r\nenumerate the files in a list of interesting paths [C:\\, D:\\, /, /home]\r\nretrieving the external IP address\r\nCode Obfuscation\r\nOther than the additional features, it seems like the person behind these packages is testing further concepts and so\r\nwe found the next two NPM packages that were likely to come from them: ‘glints-sdk’ and ‘azure-sdk-v3’.\r\nGet Jossef Harush Kadouri’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThese two packages deliver a similar code to the victim only in an obfuscated form:\r\nAs a part of the automatic malware detection system developed by Checkmarx SCS team, the packages are being\r\ndynamically analyzed in several sub-engines, and in these cases, the results of the analysis for all four packages\r\nmentioned above included network communicates with the address (hxxps://425a2.rt11[.]ml). This implies that\r\n‘glints-sdk’ and ‘azure-sdk-v3’ are made by the same attacker.\r\nCross Platform Attack\r\nAround the same time, Checkmarx’s system has detected another package, this time it was published on PyPi. The\r\nuser ‘azureazure’ (with the display name ‘Kareem’) published a Python package ‘azureazure’. Looking at the code\r\nhttps://medium.com/checkmarx-security/webhook-party-malicious-packages-caught-exfiltrating-data-via-legit-webhook-services-6e046b07d191\r\nPage 3 of 6\n\nwe found similar functionalities to its JavaScript counterpart, including gathering system information and\r\nexfiltrating it to the same address (hxxps://425a2.rt11[.]ml). in addition to these, the Python code also included\r\ndata exfiltration through DNS tunneling.\r\nWe believe those packages published by the same actor, we found more NPM packages all contain similar\r\nmalicious payload which exfiltrate host information to the free SaaS services ‘burpcollaborator.net’ and\r\n‘pipedream.net’.\r\nWebhook as a C\u0026C Server\r\nThe usage of these legitimate free services by all those malicious packages corresponds with an interesting trend\r\n— we are witnessing in which actor are utilizing “out of the box” solutions for the backend infrastructure of their\r\nattacks. Free SaaS services such as the examples listed below provide an effortless way to get up and running,\r\nwith an endpoint ready to go in a matter of seconds, to which the exfiltrated data will be collected:\r\nhttps://pipedream.com/\r\nhttps://burpcollaborator.net/\r\nhttps://app.interactsh.com/\r\nhttps://webhook.site/\r\nMessaging services such as Discord, Telegram, etc.\r\nAside from the ease of using these services instead of building and deploying a dedicated server, this technique\r\nhas one more important outcome. In case of a successful infection, network traffic to these services will not raise\r\nred flags to defenders for they are legitimate and can be used for legitimate purposes. The combination of TLS\r\nencrypted traffic with the usage of known and legitimate sites makes it even harder for defenders to identify\r\nsensitive information being exfiltrated from their networks.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/checkmarx-security/webhook-party-malicious-packages-caught-exfiltrating-data-via-legit-webhook-services-6e046b07d191\r\nPage 4 of 6\n\nWhile few packages did state a “whitehat” disclaimer, they still send data from the victim’s machine into the\r\nattacker’s endpoint. We reported all malicious packages to NPM and PyPi security teams, and most of the\r\npackages were rapidly removed from the registry.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/checkmarx-security/webhook-party-malicious-packages-caught-exfiltrating-data-via-legit-webhook-services-6e046b07d191\r\nPage 5 of 6\n\nan example of one of the reports sent to npm\r\nIOCs\r\n425a2.rt11[.]ml\r\ngxh1p4cmhshj6na8ds6zue6s6jcb00.burpcollaborator[.]net\r\nhxxps://grabify[.]link/YXP9CJ\r\nenjg65nwg4r8o28.m.pipedream[.]net\r\nConclusion\r\nThis is one of several types of malicious packages that the Checkmarx Supply Chain Security (SCS) team\r\n(previously Dustico) is discovering in the wild. We’ll continue to report on our findings here in this blog, so stay\r\ntuned.\r\nRead the full story on Checkmarx Blog\r\nSource: https://medium.com/checkmarx-security/webhook-party-malicious-packages-caught-exfiltrating-data-via-legit-webhook-services-6e04\r\n6b07d191\r\nhttps://medium.com/checkmarx-security/webhook-party-malicious-packages-caught-exfiltrating-data-via-legit-webhook-services-6e046b07d191\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://medium.com/checkmarx-security/webhook-party-malicious-packages-caught-exfiltrating-data-via-legit-webhook-services-6e046b07d191"
	],
	"report_names": [
		"webhook-party-malicious-packages-caught-exfiltrating-data-via-legit-webhook-services-6e046b07d191"
	],
	"threat_actors": [],
	"ts_created_at": 1775434022,
	"ts_updated_at": 1775791265,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/21eb3dd4fec84da160b377858b22c87334952c22.pdf",
		"text": "https://archive.orkl.eu/21eb3dd4fec84da160b377858b22c87334952c22.txt",
		"img": "https://archive.orkl.eu/21eb3dd4fec84da160b377858b22c87334952c22.jpg"
	}
}