{
	"id": "e5cae3ed-c77e-4f57-8bf7-a67606fee245",
	"created_at": "2026-04-29T02:21:12.315295Z",
	"updated_at": "2026-04-29T08:21:27.252848Z",
	"deleted_at": null,
	"sha1_hash": "f05f7e02fb45146d57acbb92ef521afb1c8a4592",
	"title": "S1ngularity/nx attackers strike again",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2199940,
	"plain_text": "S1ngularity/nx attackers strike again\r\nBy Charlie Eriksen\r\nPublished: 2025-09-16 · Archived: 2026-04-29 02:11:47 UTC\r\nPublished on:\r\nSep 16, 2025\r\nThis morning, we were alerted to a large-scale attack against npm. This appears to the be work of the same threat\r\nactors behind the Nx attack on August 27th 2025. This was originally published by Socket and StepSecurity who\r\nnoted 40 packages had been comrpomised, since then an additional 147 packages have been infected with\r\nmalware including packages from CrowdStrike.\r\nThe scale, scope and impact of this attack is significant. The attackers are using the same playbook in large parts\r\nas the original attack, but have stepped up their game. They have turned it into a full worm, which does these\r\nthings automatically:\r\nSteal secrets and publish them to GitHub publicly\r\nRun trufflehog and query Cloud metadata endpoints to gather secrets\r\nAttempt to create a new GitHub action with a data exiltration mechanism through webhook[.]site\r\nIterate the repositories on GitHub a user has access to, and make them public\r\nSince our initial alert this morning we’ve confirmed the following additional behaviours and important details. For\r\nthose that don't know, Shai Hulud is the name for the worm in the Dune franchise. A clear indication of the intent\r\nof the attackers.\r\nShai Hulud, from Dune\r\nhttps://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again\r\nPage 1 of 14\n\nTo avoid being compromised by packages like this, check out Aikido safe-chain!\r\nWhat the worm does\r\nHarvest: scans the host and CI environment for secrets — process.env, scanning with TruffleHog, and\r\ncloud metadata endpoints (AWS/GCP) that return instance/service credentials.\r\nExfiltrate (1) — GitHub repo: creates a repo named Shai-Hulud under the compromised account and\r\ncommits a JSON dump containing system info, environment variables, and collected secrets.\r\nExfiltrate (2) — GitHub Actions → webhook: drops a workflow .github/workflows/shai-hulud-workflow.yml that serializes ${{ toJSON(secrets) }} , POSTs them to an attacker webhook[.]site\r\nURL and writes a double-base64 copy into the Actions logs.\r\nPropagate: uses any valid npm tokens it finds to enumerate and attempt to update packages the\r\ncompromised maintainer controls (supply-chain propagation).\r\nAmplify: iterates the victim’s accessible repositories, making them public or adding the workflow/branch\r\nthat will trigger further runs and leaks.\r\nLeaking of secrets\r\nAs with the original Nx attack, we're seeing the attackers doing a smash-and-grab style attack. The malicous\r\npayload both publishes a \"Shai-Hulud\" repository with stolen credentials/tokens, and it will go through a GitHub\r\naccount and turn private repository to public:\r\nStolen credentials being published\r\nhttps://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again\r\nPage 2 of 14\n\nPrivate repositories being turned public\r\nSelf-propogation through npm\r\nOne of the most striking features of this attack is that it behaves like a true worm. Rather than relying on a single\r\ninfected package to spread, the code is designed to re-publish itself into other npm packages owned by the\r\ncompromised maintainer.\r\nHere’s how the worm logic works:\r\nDownload a target tarball – it fetches an existing package version from the npm registry.\r\nModify package.json – the worm bumps the patch version (e.g. 1.2.3 → 1.2.4 ) and inserts a new\r\nlifecycle hook ( postinstall )\r\nCopy its own payload – the running script ( process.argv[1] ) is written into the tarball as bundle.js .\r\nThis ensures that whatever code infected one package now lives inside the next.\r\nRe-publish the trojanized package – the modified tarball is gzipped and pushed back to npm using the\r\nmaintainer’s credentials.\r\nThis cycle allows the malware to continuously infect every package a maintainer has access to. Each published\r\npackage becomes a new distribution vector: as soon as someone installs it, the worm executes, replicates, and\r\npushes itself further into the ecosystem.\r\nhttps://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again\r\nPage 3 of 14\n\nIn short: the attacker doesn’t need to manually target packages. Once a single environment is compromised, the\r\nworm automates the spread by piggybacking on the maintainer’s own publishing rights.\r\nFor a complete malware breakdown we recommend reviewing the getsafety post\r\nImpacted packages\r\nPackage Versions\r\n@ahmedhfarag/ngx-perfect-scrollbar 20.0.20\r\n@ahmedhfarag/ngx-virtual-scroller 4.0.4\r\n@art-ws/common 2.0.28\r\n@art-ws/config-eslint 2.0.4, 2.0.5\r\n@art-ws/config-ts 2.0.7, 2.0.8\r\n@art-ws/db-context 2.0.24\r\n@art-ws/di 2.0.28, 2.0.32\r\n@art-ws/di-node 2.0.13\r\n@art-ws/eslint 1.0.5, 1.0.6\r\n@art-ws/fastify-http-server 2.0.24, 2.0.27\r\n@art-ws/http-server 2.0.21, 2.0.25\r\n@art-ws/openapi 0.1.9, 0.1.12\r\n@art-ws/package-base 1.0.5, 1.0.6\r\n@art-ws/prettier 1.0.5, 1.0.6\r\n@art-ws/slf 2.0.15, 2.0.22\r\n@art-ws/ssl-info 1.0.9, 1.0.10\r\n@art-ws/web-app 1.0.3, 1.0.4\r\n@crowdstrike/commitlint 8.1.1, 8.1.2\r\n@crowdstrike/falcon-shoelace 0.4.1, 0.4.2\r\n@crowdstrike/foundry-js 0.19.1, 0.19.2\r\n@crowdstrike/glide-core 0.34.2, 0.34.3\r\n@crowdstrike/logscale-dashboard 1.205.1, 1.205.2\r\nhttps://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again\r\nPage 4 of 14\n\nPackage Versions\r\n@crowdstrike/logscale-file-editor 1.205.1, 1.205.2\r\n@crowdstrike/logscale-parser-edit 1.205.1, 1.205.2\r\n@crowdstrike/logscale-search 1.205.1, 1.205.2\r\n@crowdstrike/tailwind-toucan-base 5.0.1, 5.0.2\r\n@ctrl/deluge 7.2.1, 7.2.2\r\n@ctrl/golang-template 1.4.2, 1.4.3\r\n@ctrl/magnet-link 4.0.3, 4.0.4\r\n@ctrl/ngx-codemirror 7.0.1, 7.0.2\r\n@ctrl/ngx-csv 6.0.1, 6.0.2\r\n@ctrl/ngx-emoji-mart 9.2.1, 9.2.2\r\n@ctrl/ngx-rightclick 4.0.1, 4.0.2\r\n@ctrl/qbittorrent 9.7.1, 9.7.2\r\n@ctrl/react-adsense 2.0.1, 2.0.2\r\n@ctrl/shared-torrent 6.3.1, 6.3.2\r\n@ctrl/tinycolor 4.1.1, 4.1.2\r\n@ctrl/torrent-file 4.1.1, 4.1.2\r\n@ctrl/transmission 7.3.1\r\n@ctrl/ts-base32 4.0.1, 4.0.2\r\n@hestjs/core 0.2.1\r\n@hestjs/cqrs 0.1.6\r\n@hestjs/demo 0.1.2\r\n@hestjs/eslint-config 0.1.2\r\n@hestjs/logger 0.1.6\r\n@hestjs/scalar 0.1.7\r\n@hestjs/validation 0.1.6\r\n@nativescript-community/arraybuffers 1.1.6, 1.1.7, 1.1.8\r\nhttps://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again\r\nPage 5 of 14\n\nPackage Versions\r\n@nativescript-community/gesturehandler 2.0.35\r\n@nativescript-community/perms 3.0.5, 3.0.6, 3.0.7, 3.0.8\r\n@nativescript-community/sqlite 3.5.2, 3.5.3, 3.5.4, 3.5.5\r\n@nativescript-community/text 1.6.9, 1.6.10, 1.6.11, 1.6.12\r\n@nativescript-community/typeorm 0.2.30, 0.2.31, 0.2.32, 0.2.33\r\n@nativescript-community/ui-collectionview 6.0.6\r\n@nativescript-community/ui-document-picker\r\n1.1.27, 1.1.28\r\n@nativescript-community/ui-drawer 0.1.30\r\n@nativescript-community/ui-image 4.5.6\r\n@nativescript-community/ui-label 1.3.35, 1.3.36, 1.3.37\r\n@nativescript-community/ui-material-bottom-navigation\r\n7.2.72, 7.2.73, 7.2.74, 7.2.75\r\n@nativescript-community/ui-material-bottomsheet\r\n7.2.72\r\n@nativescript-community/ui-material-core 7.2.72, 7.2.73, 7.2.74, 7.2.75\r\n@nativescript-community/ui-material-core-tabs\r\n7.2.72, 7.2.73, 7.2.74, 7.2.75\r\n@nativescript-community/ui-material-ripple 7.2.72, 7.2.73, 7.2.74, 7.2.75\r\n@nativescript-community/ui-material-tabs 7.2.72, 7.2.73, 7.2.74, 7.2.75\r\n@nativescript-community/ui-pager 14.1.36, 14.1.37, 14.1.38\r\n@nativescript-community/ui-pulltorefresh 2.5.4, 2.5.5, 2.5.6, 2.5.7\r\n@nexe/config-manager 0.1.1\r\n@nexe/eslint-config 0.1.1\r\n@nexe/logger 0.1.3\r\n@nstudio/angular 20.0.4, 20.0.5, 20.0.6\r\n@nstudio/focus 20.0.4, 20.0.5, 20.0.6\r\nhttps://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again\r\nPage 6 of 14\n\nPackage Versions\r\n@nstudio/nativescript-checkbox 2.0.6, 2.0.7, 2.0.8, 2.0.9\r\n@nstudio/nativescript-loading-indicator 5.0.1, 5.0.2, 5.0.3, 5.0.4\r\n@nstudio/ui-collectionview 5.1.11, 5.1.12, 5.1.13, 5.1.14\r\n@nstudio/web 20.0.4\r\n@nstudio/web-angular 20.0.4\r\n@nstudio/xplat 20.0.5, 20.0.6, 20.0.7\r\n@nstudio/xplat-utils 20.0.5, 20.0.6, 20.0.7\r\n@operato/board\r\n9.0.36, 9.0.37, 9.0.38, 9.0.39, 9.0.40, 9.0.41, 9.0.42, 9.0.43,\r\n9.0.44, 9.0.45, 9.0.46\r\n@operato/data-grist 9.0.29, 9.0.35, 9.0.36, 9.0.37\r\n@operato/graphql\r\n9.0.22, 9.0.35, 9.0.36, 9.0.37, 9.0.38, 9.0.39, 9.0.40, 9.0.41,\r\n9.0.42, 9.0.43, 9.0.44, 9.0.45, 9.0.46\r\n@operato/headroom 9.0.2, 9.0.35, 9.0.36, 9.0.37\r\n@operato/help\r\n9.0.35, 9.0.36, 9.0.37, 9.0.38, 9.0.39, 9.0.40, 9.0.41, 9.0.42,\r\n9.0.43, 9.0.44, 9.0.45, 9.0.46\r\n@operato/i18n 9.0.35, 9.0.36, 9.0.37\r\n@operato/input\r\n9.0.27, 9.0.35, 9.0.36, 9.0.37, 9.0.38, 9.0.39, 9.0.40, 9.0.41,\r\n9.0.42, 9.0.43, 9.0.44, 9.0.45, 9.0.46\r\n@operato/layout 9.0.35, 9.0.36, 9.0.37\r\n@operato/popup\r\n9.0.22, 9.0.35, 9.0.36, 9.0.37, 9.0.38, 9.0.39, 9.0.40, 9.0.41,\r\n9.0.42, 9.0.43, 9.0.44, 9.0.45, 9.0.46\r\n@operato/pull-to-refresh 9.0.36, 9.0.37, 9.0.38, 9.0.39, 9.0.40, 9.0.41, 9.0.42\r\n@operato/shell 9.0.22, 9.0.35, 9.0.36, 9.0.37, 9.0.38, 9.0.39\r\n@operato/styles 9.0.2, 9.0.35, 9.0.36, 9.0.37\r\n@operato/utils\r\n9.0.22, 9.0.35, 9.0.36, 9.0.37, 9.0.38, 9.0.39, 9.0.40, 9.0.41,\r\n9.0.42, 9.0.43, 9.0.44, 9.0.45, 9.0.46\r\n@teselagen/bounce-loader 0.3.16, 0.3.17\r\n@teselagen/liquibase-tools 0.4.1\r\nhttps://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again\r\nPage 7 of 14\n\nPackage Versions\r\n@teselagen/range-utils 0.3.14, 0.3.15\r\n@teselagen/react-list 0.8.19, 0.8.20\r\n@teselagen/react-table 6.10.19\r\n@thangved/callback-window 1.1.4\r\n@things-factory/attachment-base 9.0.43, 9.0.44, 9.0.45, 9.0.46, 9.0.47, 9.0.48, 9.0.49, 9.0.50\r\n@things-factory/auth-base 9.0.43, 9.0.44, 9.0.45\r\n@things-factory/email-base\r\n9.0.42, 9.0.43, 9.0.44, 9.0.45, 9.0.46, 9.0.47, 9.0.48, 9.0.49,\r\n9.0.50, 9.0.51, 9.0.52, 9.0.53, 9.0.54\r\n@things-factory/env 9.0.42, 9.0.43, 9.0.44, 9.0.45\r\n@things-factory/integration-base 9.0.43, 9.0.44, 9.0.45\r\n@things-factory/integration-marketplace 9.0.43, 9.0.44, 9.0.45\r\n@things-factory/shell 9.0.43, 9.0.44, 9.0.45\r\n@tnf-dev/api 1.0.8\r\n@tnf-dev/core 1.0.8\r\n@tnf-dev/js 1.0.8\r\n@tnf-dev/mui 1.0.8\r\n@tnf-dev/react 1.0.8\r\n@ui-ux-gang/devextreme-angular-rpk 24.1.7\r\n@yoobic/design-system 6.5.17\r\n@yoobic/jpeg-camera-es6 1.0.13\r\n@yoobic/yobi 8.7.53\r\nairchief 0.3.1\r\nairpilot 0.8.8\r\nangulartics2 14.1.1, 14.1.2\r\nbrowser-webdriver-downloader 3.0.8\r\ncapacitor-notificationhandler 0.0.2, 0.0.3\r\nhttps://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again\r\nPage 8 of 14\n\nPackage Versions\r\ncapacitor-plugin-healthapp 0.0.2, 0.0.3\r\ncapacitor-plugin-ihealth 1.1.8, 1.1.9\r\ncapacitor-plugin-vonage 1.0.2, 1.0.3\r\ncapacitorandroidpermissions 0.0.4, 0.0.5\r\nconfig-cordova 0.8.5\r\ncordova-plugin-voxeet2 1.0.24\r\ncordova-voxeet 1.0.32\r\ncreate-hest-app 0.1.9\r\ndb-evo 1.1.4, 1.1.5\r\ndevextreme-angular-rpk 21.2.8\r\nember-browser-services 5.0.2, 5.0.3\r\nember-headless-form 1.1.2, 1.1.3\r\nember-headless-form-yup 1.0.1\r\nember-headless-table 2.1.5, 2.1.6\r\nember-url-hash-polyfill 1.0.12, 1.0.13\r\nember-velcro 2.2.1, 2.2.2\r\nencounter-playground 0.0.2, 0.0.3, 0.0.4, 0.0.5\r\neslint-config-crowdstrike 11.0.2, 11.0.3\r\neslint-config-crowdstrike-node 4.0.3, 4.0.4\r\neslint-config-teselagen 6.1.7\r\nglobalize-rpk 1.7.4\r\ngraphql-sequelize-teselagen 5.3.8\r\nhtml-to-base64-image 1.0.2\r\njson-rules-engine-simplified 0.2.1\r\njumpgate 0.0.2\r\nkoa2-swagger-ui 5.11.1, 5.11.2\r\nhttps://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again\r\nPage 9 of 14\n\nPackage Versions\r\nmcfly-semantic-release 1.3.1\r\nmcp-knowledge-base 0.0.2\r\nmcp-knowledge-graph 1.2.1\r\nmobioffice-cli 1.0.3\r\nmonorepo-next 13.0.1, 13.0.2\r\nmstate-angular 0.4.4\r\nmstate-cli 0.4.7\r\nmstate-dev-react 1.1.1\r\nmstate-react 1.6.5\r\nng2-file-upload 7.0.2, 7.0.3, 8.0.1, 8.0.2, 8.0.3, 9.0.1\r\nngx-bootstrap 18.1.4, 19.0.3, 19.0.4, 20.0.3, 20.0.4, 20.0.5\r\nngx-color 10.0.1, 10.0.2\r\nngx-toastr 19.0.1, 19.0.2\r\nngx-trend 8.0.1\r\nngx-ws 1.1.5, 1.1.6\r\noradm-to-gql 35.0.14, 35.0.15\r\noradm-to-sqlz 1.1.2\r\nove-auto-annotate 0.0.9\r\npm2-gelf-json 1.0.4, 1.0.5\r\nprintjs-rpk 1.6.1\r\nreact-complaint-image 0.0.32\r\nreact-jsonschema-form-conditionals 0.3.18\r\nremark-preset-lint-crowdstrike 4.0.1, 4.0.2\r\nrxnt-authentication 0.0.3, 0.0.4, 0.0.5, 0.0.6\r\nrxnt-healthchecks-nestjs 1.0.2, 1.0.3, 1.0.4, 1.0.5\r\nrxnt-kue 1.0.4, 1.0.5, 1.0.6, 1.0.7\r\nhttps://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again\r\nPage 10 of 14\n\nPackage Versions\r\nswc-plugin-component-annotate 1.9.1, 1.9.2\r\ntbssnch 1.0.2\r\nteselagen-interval-tree 1.1.2\r\ntg-client-query-builder 2.14.4, 2.14.5\r\ntg-redbird 1.3.1\r\ntg-seq-gen 1.0.9, 1.0.10\r\nthangved-react-grid 1.0.3\r\nts-gaussian 3.0.5, 3.0.6\r\nts-imports 1.0.1, 1.0.2\r\ntvi-cli 0.1.5\r\nve-bamreader 0.2.6\r\nve-editor 1.0.1\r\nverror-extra 6.0.1\r\nvoip-callkit 1.0.2, 1.0.3\r\nwdio-web-reporter 0.1.3\r\nyargs-help-output 5.0.3\r\nyoo-styles 6.0.326\r\nStory developing…\r\nLast updated on:\r\nSep 19, 2025\r\nSecure your software now\r\nStart today, for free.\r\nStart for Free\r\nScan now\r\nNo CC required\r\nhttps://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again\r\nPage 11 of 14\n\n4.7/5\r\nTired of false positives?\r\nTry Aikido like 100k others.\r\nStart Now\r\nGet a personalized walkthrough\r\nTrusted by 100k+ teams\r\nBook Now\r\nScan your app for IDORs and real attack paths\r\nTrusted by 100k+ teams\r\nStart Scanning\r\nSee how AI pentests your app\r\nTrusted by 100k+ teams\r\nStart Testing\r\nApril 23, 2026\r\n•\r\nVulnerabilities \u0026 Threats\r\nIs Shai-Hulud Back? Compromised Bitwarden CLI Contains a Self-Propagating\r\nnpm Worm\r\nMalware found in @bitwarden/cli v2026.4.0 steals SSH keys, cloud secrets, and AI coding tool credentials, then\r\nspreads through victims' own npm packages. Inside: a worm calling itself \"Shai-Hulud: The Third Coming.\"\r\n#\r\nMalware\r\nApril 22, 2026\r\n•\r\nVulnerabilities \u0026 Threats\r\nhttps://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again\r\nPage 12 of 14\n\nGPT-Proxy Backdoor in npm and PyPI turns Servers into Chinese LLM Relays\r\nA newly discovered npm and PyPI malware campaign installs hidden LLM proxies on compromised servers,\r\nturning them into relay nodes for LLM traffic.\r\n#\r\nMalware\r\nApril 17, 2026\r\n•\r\nVulnerabilities \u0026 Threats\r\nMultiple Cross-Site Scripting (XSS) Vulnerabilities in Mailcow\r\nAikido's AI pentest agent found three XSS vulnerabilities in Mailcow, one of which let unauthenticated attackers\r\ntake over administrator accounts. All issues have been patched as of version 2026-03b.\r\n#\r\nVulnerabilities\r\n#\r\nopen-source\r\nGet secure now\r\nSecure your code, cloud, and runtime in one central system.\r\nFind and fix vulnerabilities fast automatically.\r\nNo credit card required | Scan results in 32secs.\r\nhttps://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again\r\nPage 13 of 14\n\nSource: https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again\r\nhttps://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again\r\nPage 14 of 14\n\nhttps://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again  \nPackage Versions \n@nativescript-community/gesturehandler 2.0.35 \n@nativescript-community/perms 3.0.5, 3.0.6, 3.0.7, 3.0.8\n@nativescript-community/sqlite 3.5.2, 3.5.3, 3.5.4, 3.5.5\n@nativescript-community/text 1.6.9, 1.6.10, 1.6.11, 1.6.12\n@nativescript-community/typeorm 0.2.30, 0.2.31, 0.2.32, 0.2.33\n@nativescript-community/ui-collectionview 6.0.6 \n@nativescript-community/ui-document\u0002  \n 1.1.27, 1.1.28\npicker  \n@nativescript-community/ui-drawer 0.1.30 \n@nativescript-community/ui-image 4.5.6 \n@nativescript-community/ui-label 1.3.35, 1.3.36, 1.3.37\n@nativescript-community/ui-material\u0002  \n 7.2.72, 7.2.73, 7.2.74, 7.2.75\nbottom-navigation  \n@nativescript-community/ui-material\u0002  \n 7.2.72 \nbottomsheet  \n@nativescript-community/ui-material-core 7.2.72, 7.2.73, 7.2.74, 7.2.75\n@nativescript-community/ui-material-core\u0002  \n 7.2.72, 7.2.73, 7.2.74, 7.2.75\ntabs  \n@nativescript-community/ui-material-ripple 7.2.72, 7.2.73, 7.2.74, 7.2.75\n@nativescript-community/ui-material-tabs 7.2.72, 7.2.73, 7.2.74, 7.2.75\n@nativescript-community/ui-pager 14.1.36, 14.1.37, 14.1.38\n@nativescript-community/ui-pulltorefresh 2.5.4, 2.5.5, 2.5.6, 2.5.7\n@nexe/config-manager 0.1.1 \n@nexe/eslint-config 0.1.1 \n@nexe/logger 0.1.3 \n@nstudio/angular 20.0.4, 20.0.5, 20.0.6\n@nstudio/focus 20.0.4, 20.0.5, 20.0.6\n Page 6 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.aikido.dev/blog/s1ngularity-nx-attackers-strike-again"
	],
	"report_names": [
		"s1ngularity-nx-attackers-strike-again"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-29T06:58:58.13853Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1777429272,
	"ts_updated_at": 1777450887,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f05f7e02fb45146d57acbb92ef521afb1c8a4592.pdf",
		"text": "https://archive.orkl.eu/f05f7e02fb45146d57acbb92ef521afb1c8a4592.txt",
		"img": "https://archive.orkl.eu/f05f7e02fb45146d57acbb92ef521afb1c8a4592.jpg"
	}
}