NPM malware hunt with OSSF Package Analysis, Sept 20, 2023

September 20, 2023 #malware-analysis #javascript #npm #ossf

Following up on Sifting through Crates.io for Malware, I started poking around the packages submitted to NPM during September 1-20, 2023. There is so much obvious malware and “security testing”.

The more interesting malware is probably the stuff that isn’t so obvious. Still, this exercise lets us practice our skills and tune our tools.

In this post we’ll start with DNS resolutions made during package installation:

SELECT 
  Queries.Hostname, 
  COUNT(*) AS `count`
FROM
  `ossf-malware-analysis.packages.analysis` AS T,
  T.Analysis.install.DNS as DNS,
  DNS.Queries AS Queries
WHERE
  TIMESTAMP_TRUNC(CreatedTimestamp, MONTH) = TIMESTAMP("2023-09-01")
  AND Package.Ecosystem = "npm"
GROUP BY Queries.Hostname
ORDER BY `count` DESC
;

Hostname	count
`registry.npmjs.org`	197075
`github.com`	8126
`objects.githubusercontent.com`	6172
`nodejs.org`	4263
`codeload.github.com`	2702
`opencollective.com`	1204
`binaries.prisma.sh`	347
`edgedl.me.gvt1.com`	263
`storage.googleapis.com`	260
`raw.githubusercontent.com`	187
`pkg.csb.dev`	148
`unpkg.com`	146
`download.cypress.io`	129
`cdn.cypress.io`	129
`bitbucket.org`	126
`playwright.azureedge.net`	106
`duckdb-node.s3.amazonaws.com`	103
`bin.equinox.io`	89
`api.github.com`	82
`checkpoint.prisma.io`	65
`cdn.sheetjs.com`	62
`hg.mozilla.org`	61
`api.thetimes.co.uk`	53
`download.newrelic.com`	49
`fastdl.mongodb.org`	45
`git.lumeweb.com`	38
`downloads.sentry-cdn.com`	37
`gw.alipayobjects.com`	34
`node-precompiled-binaries.grpc.io`	31
`ifconfig.me`	24
`chromedriver.storage.googleapis.com`	24
`crates.io`	23
`static.crates.io`	23
`mapbox-node-binary.s3.amazonaws.com`	22
`static.snyk.io`	21
`gitlab.com`	20
`cdn.ronghub.com`	18
`static.realm.io`	16
`eo56j4tfa20w1b7.m.pipedream.net`	12
`git.gendocu.com`	11
`archive.apache.org`	11
`googlechromelabs.github.io`	11
`data.mongodb-api.com`	11
`js.lisk.com`	10
`node-protectonce-native.s3.amazonaws.com`	10
`cli.raycast.com`	9
`www.raycast.com`	9
`raycast.com`	9
`ipinfo.io`	8
`downloads.webmproject.org`	8
`repo1.maven.org`	8
`s3.amazonaws.com`	8
`app.threatest.com`	7
`analytics.lightdash.com`	7
`www.uuidgenerator.net`	7
`vega-telemetry-apim-dev.azure-api.net`	7
`ckr9h2m2vtc0000z04n0gjhrateyyyyyb.oast.fun`	7
`binaries.soliditylang.org`	7
`s3-us-west-1.amazonaws.com`	6
`webhook.site`	6
`binaries.tonlabs.io`	5
`node-webrtc.s3.amazonaws.com`	5
`dl.nwjs.io`	5
`journeyapps-node-binary.s3.amazonaws.com`	5
`releases-cdn.jfrog.io`	4
`www.googleapis.com`	4
`msedgedriver.azureedge.net`	4
`moz.com`	4
`releases.jfrog.io`	4
`supabase-public-artifacts-bucket.s3.amazonaws.com`	4
`pulsar.apache.org`	4
`files.pythonhosted.org`	4
`focus-resource.oss-cn-beijing.aliyuncs.com`	4
`pypi.org`	4
`ziglang.org`	3
`static.rust-lang.org`	3
`gitpkg.vercel.app`	3
`gitee.com`	3
`axonodegit.s3.amazonaws.com`	3
`ww16.gitlab.databurning.inc`	3
`gitlab.databurning.inc`	3
`functionscdn.azureedge.net`	3
`gitpkg.now.sh`	3
`prefix.cc`	3
`sh.rustup.rs`	3
`ovn2giz2p5ki09n1xojzswz6nxtqhf.burpcollaborator.net`	3
`gitlab.aservice.com.tw`	2
`f6mu7sz7eg7psan28wak9uopigo7c90y.oastify.com`	2
`cjvm1lk0sjhuban1t120rm6bqz7iuu5ka.oast.live`	2
`eo5zaov3udnh16e.m.pipedream.net`	2
`gwgwq2e14p1ac6b3topajvsznqthhf54.oastify.com`	2
`web.sdk.qcloud.com`	2
`smartclient.com`	2
`qc64w4xskkaf3hj10ohaih09k0qqef.burpcollaborator.net`	2
`foruda.gitee.com`	2
`System`	2
`salsa.debian.org`	2
`cm1153c2vtc00002wd5ggkyo1twyyyyyb.oast.fun`	2
`List`	2
`Bug-Reporting`	2
`render.alipay.com`	2
`mdap.alipay.com`	2
`Network`	2
`downloads.sourceforge.net`	2
`download.z.cash`	2
`dataservice.alipayobjects.com`	2
`ideservice.alipay.com`	2
`435dvf5lwsuqc7k2zmmip3zfm6sxgn4c.oastify.com`	1
`rover.apollo.dev`	1
`pms-cdn.bdstatic.com`	1
`hufxo3c22qzba794rpnbhwq0lrrifd32.oastify.com`	1
`gitlab.inria.fr`	1
`cm4t7c52vtc000039v20gknpdsyyyyyyb.oast.fun`	1
`cytranet.dl.sourceforge.net`	1
`pe74f27hmqfz0kvcg6iuh4wzqqwhkk89.oastify.com`	1
`d3e6h8v4cxlhmu.cloudfront.net`	1
`c15510217590el32g9cjsa8u8mo6t3fetd98lzrqff.burpcollaborator.net`	1
`smartprogram.baidu.com`	1
`dc9065f3a7b5cm31san2vtc000046akggkbohioyyyyyb.oast.fun`	1
`chromiumdash.appspot.com`	1
`u7obzgeb.requestrepo.com`	1
`0.e1gqjw31dgpqcrbcd5j62x3fe9tk2bhg5rr7rwkfdxu7rt1g6w.2y13nip7i7y8y9se58mrmduoxf36rysmh.oastify.com`	1
`cm30n6w2vtc0000cv6m0gkb4w7cyyyyyf.oast.fun`	1
`ds5wd4w77e8d7.cloudfront.net`	1
`tulipnode.s3.amazonaws.com`	1
`jasonshin.github.io`	1
`gss3.bdstatic.com`	1
`shift72-sites.s3.amazonaws.com`	1
`d2xmf7eesbz9z9.cloudfront.net`	1
`eoyepq82deghwp1.m.pipedream.net`	1
`service.tunnelmole.com`	1
`k9uoqh3k3g2q6ie5ugwuwddllcr3fw3l.oastify.com`	1
`cm30n6w2vtc0000cv6m0gkbokucyyyyyb.oast.fun`	1
`j7rxjmyu7fn6m09tm6y2e4no4fa9yy.burpcollaborator.net`	1
`cm0k7mp2vtc0000qfwkggkyju4eyyyyyb.oast.fun`	1
`build-artifacts.signal.org`	1
`25371d442238xdede680mk624kgu48sasafdh4nubj.burpcollaborator.net`	1
`versaweb.dl.sourceforge.net`	1
`h.pkgs.store`	1
`drwpxdi3xxat9.cloudfront.net`	1
`clndly.bookingflix.com`	1
`b19d5f54a3a0aesic9l2whlwa33aytefcnu11s7jv8.burpcollaborator.net`	1
`electronjs.org`	1
`042gymmlc99ukqjn18xurf0jva11ptdi.oastify.com`	1
`yt-dl.org`	1
`versionhistory.googleapis.com`	1
`api64.ipify.org`	1
`cm30n6w2vtc0000cv6m0gkbo1ehyyyyyd.oast.fun`	1
`package.cli.amplify.aws`	1
`spcbj.cdn.bcebos.com`	1
`api.cli.amplify.aws`	1
`usr`	1
`gist.github.com`	1
`jylzs5g46s3de9d6vrrdlyu2ptvkjb70.oastify.com`	1
`unpm.uberinternal.com`	1
`qztmtxw0341c8wjz7a3wdql60x6nuc.burpcollaborator.net`	1
`a0359854ae4a.cm30n6w2vtc0000cv6m0gkboz5ayyyyyr.oast.fun`	1
`spcsz.cdn.bcebos.com`	1
`react-bootstrap-v4-data-picker.com`	1
`a390a2d55c32.sfbdsd25uq668574h501430r0i69u3is.oastify.com`	1
`product-details.mozilla.org`	1
`d4be-165-231-177-189.ngrok-free.app`	1
`ckr9h2m2vtc0000z04n0gjh3p3ayyyyyd.oast.fun`	1
`gitlab.mservice.com.vn`	1
`bos.box.bdimg.com`	1
`archive.mozilla.org`	1
`ca.fi`	1
`d7mr6puf9ww39.cloudfront.net`	1
`node-binaries.s3.amazonaws.com`	1
`mbd.baidu.com`	1
`api.mixpanel.com`	1
`calbold.bookingflix.com`	1
`root.8664dbdeab3d.gxh03b4xozq3h51eijotk3mzdqjh77vw.oastify.com`	1
`3e93b1279a53a87ad8c01b6fab998357.m.pipedream.net`	1
`gitlab.bart.sk`	1
`premium.rxdb.info`	1
`cm30n6w2vtc0000cv6m0gkbookoyyyyyn.oast.fun`	1
`c971b268fd0b.qlfu0xty7cyyfst1cs3qt6wz3q9hx7lw.oastify.com`	1
`d1d1d5022c4b.rhck43o9lrknmap6jncly360zr5itahz.oastify.com`	1
`www.electronjs.org`	1
`figma-nodegit.s3.amazonaws.com`	1
`v62y1t0jl7qwybj078a681b79yfw3l.burpcollaborator.net`	1
`e5604348176e.sfbdsd25uq668574h501430r0i69u3is.oastify.com`	1
`70839db2341del32g9cjsa8u8mo6t3fetd98lzrqff.burpcollaborator.net`	1
`playwright-akamai.azureedge.net`	1
`fp8y66sye5jwm2di4je847yf66cw0l.burpcollaborator.net`	1
`1.vked9p6wr3ac1kfgqp2w3g5xq6yt35bxppyt3ndhjq6bvgc5wq.2y13nip7i7y8y9se58mrmduoxf36rysmh.oastify.com`	1
`js.rip`	1
`d366veejw7r0h.cloudfront.net`	1
`2.0rbc5nv62v39chgq8vvjedy6rvth68vjwc1e60q32tbmd0r32d.2y13nip7i7y8y9se58mrmduoxf36rysmh.oastify.com`	1
`2jmido1nrbowzsypgacw6hflacg34zso.oastify.com`	1
`api.ipify.org`	1
`trident-sdk.s3-us-west-1.amazonaws.com`	1
`3.tj5rrkcbhh6rq34d8.2y13nip7i7y8y9se58mrmduoxf36rysmh.oastify.com`	1
`cdn.xraremeta.com`	1
`01dd4079912f.rhck43o9lrknmap6jncly360zr5itahz.oastify.com`	1
`api.ifdns.top`	1
`cm4jsv72vtc00005c170gknjc7hyyyyyb.oast.fun`	1
`oapi-kunlun.kundou.cn`	1
`artifacts.electronjs.org`	1
`eo6zs9q1nkdd0ph.m.pipedream.net`	1
`dist.ipfs.tech`	1
`ckske5r2vtc000003x60gjh3zdyyyyyyb.oast.fun`	1
`static.pharmacyyf.com`	1
`mon.zijieapi.com`	1
`content.overwolf.com`	1
`newtesttocheckscanner.package.0xlupin.com`	1
`4826533f4ab3cm31san2vtc000046akggkbohioyyyyyb.oast.fun`	1
`3bfb39b5a69dcm31san2vtc000046akggkbohioyyyyyb.oast.fun`	1
`eoerh8zdok2dcuf.m.pipedream.net`	1
`af54b23955a1cm31san2vtc000046akggkbohioyyyyyb.oast.fun`	1
`archive.zsq.im`	1
`30e72bbc4f57.0yj0npk9xow79fekqjlndw4lr.canarytokens.com`	1
`hooks-testnet-v3.xrpl-labs.com`	1
`5056fcbc2be2cm31san2vtc000046akggkbohioyyyyyb.oast.fun`	1
`f134e3ae147dcm31san2vtc000046akggkbohioyyyyyb.oast.fun`	1
`enjglpdgtgrbn4b.m.pipedream.net`	1
`00ad358605ce3y2fc9xtt9toy1u2y4txfy665xbnzc.burpcollaborator.net`	1

Immediately suspicious domains related to security testing and/or reverse shells:

*.canarytokens.com
*.burpcollaborator.net
*.oast.fun
*.oastify.fun
*.pipedream.net
*.ngrok-free.app

SELECT
  Queries.Hostname,
  T.Package.Name,
  T.Package.Version,
  FORMAT(
    "https://registry.npmjs.org/%s/%s",
    T.Package.Name,
    T.Package.Version) AS url
FROM
  `ossf-malware-analysis.packages.analysis` AS T,
  T.Analysis.install.DNS as DNS,
  DNS.Queries AS Queries
WHERE
  Package.Ecosystem = "npm"
  AND TIMESTAMP_TRUNC(CreatedTimestamp, MONTH) = TIMESTAMP("2023-09-01")
  AND (
    Queries.Hostname LIKE "%.canarytokens.com"
    OR Queries.Hostname LIKE "%.burpcollaborator.net"
    OR Queries.Hostname LIKE "%.oast.fun"
    OR Queries.Hostname LIKE "%.oastify.fun"
    OR Queries.Hostname LIKE "%.pipedream.net"
    OR Queries.Hostname LIKE "%.ngrok-free.app"
  )
ORDER BY 
  T.Package.Name, 
  T.Package.Version,
  Queries.Hostname
  DESC
;

Hostname	Name	Version
`cm1153c2vtc00002wd5ggkyo1twyyyyyb.oast.fun`	@healthbridge-design-system/components	1.0.0
`enjglpdgtgrbn4b.m.pipedream.net`	@operational-reporting/wire-contracts	7.0.0
`eo56j4tfa20w1b7.m.pipedream.net`	adidas-data-mesh	4.4.7
`qztmtxw0341c8wjz7a3wdql60x6nuc.burpcollaborator.net`	adidas-data-mesh	7.7.7
`cm30n6w2vtc0000cv6m0gkbo1ehyyyyyd.oast.fun`	adidas-data-mesh	9.9.0
`cm30n6w2vtc0000cv6m0gkbookoyyyyyn.oast.fun`	adidas-data-mesh	9.9.1
`a0359854ae4a.cm30n6w2vtc0000cv6m0gkboz5ayyyyyr.oast.fun`	adidas-data-mesh	9.9.4
`b19d5f54a3a0aesic9l2whlwa33aytefcnu11s7jv8.burpcollaborator.net`	adidas-data-mesh	9.9.8
`cm30n6w2vtc0000cv6m0gkbokucyyyyyb.oast.fun`	adidas-data-mesh	9.9.9
`cm4t7c52vtc000039v20gknpdsyyyyyyb.oast.fun`	bbc-iplayer-sounds-chatbot	1.2.3
`eo56j4tfa20w1b7.m.pipedream.net`	bbc-iplayer-sounds-chatbot	5.2.3
`eo56j4tfa20w1b7.m.pipedream.net`	bbc-iplayer-sounds-chatbot	7.2.3
`cm30n6w2vtc0000cv6m0gkb4w7cyyyyyf.oast.fun`	centurylink	4.1.1
`ckr9h2m2vtc0000z04n0gjhrateyyyyyb.oast.fun`	chain-list	20.0.0
`j7rxjmyu7fn6m09tm6y2e4no4fa9yy.burpcollaborator.net`	developer-scaffold-full-width-wrapper	1.9.2
`v62y1t0jl7qwybj078a681b79yfw3l.burpcollaborator.net`	developer-scaffold-full-width-wrapper	1.9.9
`eo56j4tfa20w1b7.m.pipedream.net`	goingwithflow	2.9.9
`eo56j4tfa20w1b7.m.pipedream.net`	goingwithflow	4.9.9
`eoyepq82deghwp1.m.pipedream.net`	goingwithflow	6.9.9
`cm4jsv72vtc00005c170gknjc7hyyyyyb.oast.fun`	goingwithflow	9.8.9
`cm1153c2vtc00002wd5ggkyo1twyyyyyb.oast.fun`	healthbridge-design-system	1.0.0
`ckske5r2vtc000003x60gjh3zdyyyyyyb.oast.fun`	helio_tawa	5.0.1
`25371d442238xdede680mk624kgu48sasafdh4nubj.burpcollaborator.net`	inteken-app-client	9.9.1
`70839db2341del32g9cjsa8u8mo6t3fetd98lzrqff.burpcollaborator.net`	inteken-app-client	9.9.5
`c15510217590el32g9cjsa8u8mo6t3fetd98lzrqff.burpcollaborator.net`	inteken-app-client	9.9.6
`fp8y66sye5jwm2di4je847yf66cw0l.burpcollaborator.net`	inteken-app-client	9.9.9
`ckr9h2m2vtc0000z04n0gjhrateyyyyyb.oast.fun`	master-oracle-lib	20.0.0
`ckr9h2m2vtc0000z04n0gjhrateyyyyyb.oast.fun`	metronome-synth-info-lib	20.0.0
`ckr9h2m2vtc0000z04n0gjhrateyyyyyb.oast.fun`	metronome-synth-user-lib	20.0.2
`ckr9h2m2vtc0000z04n0gjhrateyyyyyb.oast.fun`	metronome-ui	21.0.2
`dc9065f3a7b5cm31san2vtc000046akggkbohioyyyyyb.oast.fun`	mfp-food-diary	0.1.1
`5056fcbc2be2cm31san2vtc000046akggkbohioyyyyyb.oast.fun`	mfp-food-diary	0.1.2
`f134e3ae147dcm31san2vtc000046akggkbohioyyyyyb.oast.fun`	mfp-test-repo	0.1.1
`eoerh8zdok2dcuf.m.pipedream.net`	npm-random-gen	1.0.1
`d4be-165-231-177-189.ngrok-free.app`	not-a-math	1.0.0
`00ad358605ce3y2fc9xtt9toy1u2y4txfy665xbnzc.burpcollaborator.net`	pathkit-local	9.9.9
`eo6zs9q1nkdd0ph.m.pipedream.net`	pingserver-test.01	1.1.0
`eo56j4tfa20w1b7.m.pipedream.net`	pmd-github-action	7.2.9
`eo56j4tfa20w1b7.m.pipedream.net`	pmd-github-action	7.9.9
`30e72bbc4f57.0yj0npk9xow79fekqjlndw4lr.canarytokens.com`	ppreact7	7.0.0
`qc64w4xskkaf3hj10ohaih09k0qqef.burpcollaborator.net`	producer-journey	1.0.0
`qc64w4xskkaf3hj10ohaih09k0qqef.burpcollaborator.net`	producer-journey	1.0.3
`4826533f4ab3cm31san2vtc000046akggkbohioyyyyyb.oast.fun`	puppeteer-example	0.1.2
`3bfb39b5a69dcm31san2vtc000046akggkbohioyyyyyb.oast.fun`	puppeteer-example	0.1.3
`af54b23955a1cm31san2vtc000046akggkbohioyyyyyb.oast.fun`	puppeteer-example	0.1.5
`eo5zaov3udnh16e.m.pipedream.net`	puppeteer-example	0.1.7
`eo5zaov3udnh16e.m.pipedream.net`	puppeteer-example	0.1.9
`cm0k7mp2vtc0000qfwkggkyju4eyyyyyb.oast.fun`	sharinj-test	1.0.0
`eo56j4tfa20w1b7.m.pipedream.net`	subspace-relayer-front-end	3.3.3
`eo56j4tfa20w1b7.m.pipedream.net`	subspace-relayer-front-end	3.8.8
`eo56j4tfa20w1b7.m.pipedream.net`	subspace-relayer-front-end	4.4.4
`eo56j4tfa20w1b7.m.pipedream.net`	subspace-relayer-front-end	5.4.2
`ovn2giz2p5ki09n1xojzswz6nxtqhf.burpcollaborator.net`	surf-sharekit-frontend	9.9.7
`ovn2giz2p5ki09n1xojzswz6nxtqhf.burpcollaborator.net`	surf-sharekit-frontend	9.9.8
`ovn2giz2p5ki09n1xojzswz6nxtqhf.burpcollaborator.net`	surf-sharekit-frontend	9.9.9
`3e93b1279a53a87ad8c01b6fab998357.m.pipedream.net`	testingoli	1.2.2
`ckr9h2m2vtc0000z04n0gjhrateyyyyyb.oast.fun`	vesper-synth-user-lib	20.0.0
`ckr9h2m2vtc0000z04n0gjhrateyyyyyb.oast.fun`	wallet-switch-chain	21.0.3
`eo56j4tfa20w1b7.m.pipedream.net`	walletconnect-website	4.4.4
`ckr9h2m2vtc0000z04n0gjh3p3ayyyyyd.oast.fun`	www-ankr-com	2.0.10

IP checking domains:

ifconfig.me
ipinfo.io
api64.ipify.org
api.ipify.org
api.ifdns.top

Hostname	Name	Version
`ipinfo.io`	@expue/app	0.0.2-alpha.0
`ipinfo.io`	@expue/core	0.0.3-alpha.0
`ipinfo.io`	@expue/plugin-express	0.0.3-alpha.0
`ipinfo.io`	@expue/shared	0.0.3-alpha.0
`ipinfo.io`	@expue/types	0.0.3-alpha.0
`ipinfo.io`	@expue/vue-renderer	0.0.3-alpha.0
`ipinfo.io`	@sheinoutmobile/sheinoutmobile	1.6.0
`ifconfig.me`	chain-list	20.0.0
`ifconfig.me`	course-structure-debugger	10.999.0
`ifconfig.me`	course-structure-debugger	11.999.0
`ifconfig.me`	feature-flag-framework	9.999.0
`ifconfig.me`	fiji-core-cryptopool	9.999.0
`ifconfig.me`	fiji-core-foc	9.999.0
`ifconfig.me`	fiji-core-foundation	9.999.0
`ifconfig.me`	fiji-core-framework	9.999.0
`ifconfig.me`	jupiter-emoji	9.999.0
`ifconfig.me`	jupiter-i18n	9.999.0
`ifconfig.me`	jupiter-opensdk	9.999.0
`ifconfig.me`	master-oracle-lib	20.0.0
`ifconfig.me`	metronome-synth-info-lib	20.0.0
`ifconfig.me`	metronome-synth-user-lib	20.0.2
`ifconfig.me`	metronome-ui	21.0.2
`api64.ipify.org`	netbet_react	2.0.3
`api.ipify.org`	not-a-math	1.0.0
`ipinfo.io`	scroller_super_top	1.0.2
`api.ifdns.top`	twillio-tests	99.99.1
`ifconfig.me`	ui-elements-icons	4.999.0
`ifconfig.me`	ui-elements-icons	6.0.0
`ifconfig.me`	ui-elements-icons	8.999.0
`ifconfig.me`	ui-elements-icons	9.999.9
`ifconfig.me`	vesper-synth-user-lib	20.0.0
`ifconfig.me`	wallet-switch-chain	21.0.3
`ifconfig.me`	www-ankr-com	2.0.10
`ifconfig.me`	ysb-ui-services	3.999.0
`ifconfig.me`	ysb-ui-services	4.999.0

CDN domains, which could go either way:

ds5wd4w77e8d7.cloudfront.net
shift72-sites.s3.amazonaws.com
d2xmf7eesbz9z9.cloudfront.net
drwpxdi3xxat9.cloudfront.net
d7mr6puf9ww39.cloudfront.net
d366veejw7r0h.cloudfront.net

Hostname	Name	Version
`shift72-sites.s3.amazonaws.com`	@shift72/core-template	1.9.6
`drwpxdi3xxat9.cloudfront.net`	eslint-plugin-frontbucket-patterns	1.5.0
`d366veejw7r0h.cloudfront.net`	fedex-status-check	0.3.0
`d2xmf7eesbz9z9.cloudfront.net`	mocha-flake-reporter	1.0.0
`ds5wd4w77e8d7.cloudfront.net`	mocha-timing-reporter	1.0.0
`d7mr6puf9ww39.cloudfront.net`	tourist-catapult	9.7.2

Generally suspicious domains:

static.snyk.io
www.uuidgenerator.net
app.threatest.com
webhook.site
service.tunnelmole.com
clndly.bookingflix.com
calbold.bookingflix.com
js.rip
dist.ipfs.tech
static.pharmacyyf.com
newtesttocheckscanner.package.0xlupin.com
hooks-testnet-v3.xrpl-labs.com

Hostname	Name	Version
`app.threatest.com`	@expue/app	0.0.2-alpha.0
`app.threatest.com`	@expue/core	0.0.3-alpha.0
`app.threatest.com`	@expue/plugin-express	0.0.3-alpha.0
`app.threatest.com`	@expue/shared	0.0.3-alpha.0
`app.threatest.com`	@expue/types	0.0.3-alpha.0
`app.threatest.com`	@expue/vue-renderer	0.0.3-alpha.0
`app.threatest.com`	@sheinoutmobile/sheinoutmobile	1.6.0
`calbold.bookingflix.com`	bookingflix_quickstart	2.1.7
`clndly.bookingflix.com`	bookingflix_quickstart	2.1.7
`dist.ipfs.tech`	@constl/utils-tests	0.1.6
`hooks-testnet-v3.xrpl-labs.com`	evdevkit	0.7.2
`js.rip`	sw-kendo-atomic-theme	1.999.0
`newtesttocheckscanner.package.0xlupin.com`	newtesttocheckscanner	0.0.1
`service.tunnelmole.com`	@jhonjtoloza/tunnelmole	2.1.13
`static.pharmacyyf.com`	@pluve/lego-excel-vue	0.11.0
`static.snyk.io`	@pwnies/npm-deploy	1.0.0
`static.snyk.io`	@pwnies/npm-deploy	1.0.1
`static.snyk.io`	@travi/cli	11.1.108
`static.snyk.io`	@travi/cli	11.1.115
`static.snyk.io`	@travi/cli	11.1.119
`static.snyk.io`	@travi/cli	11.1.121
`static.snyk.io`	beamjs	1.4.0
`static.snyk.io`	cordova-plugin-invitereferrals	4.0.0
`static.snyk.io`	cordova-plugin-notifyvisitors	3.8.5
`static.snyk.io`	gb_utils	1.0.0
`static.snyk.io`	gb_utils	1.0.2
`static.snyk.io`	gb_utils	1.0.3
`static.snyk.io`	gb_utils	1.0.4
`static.snyk.io`	gb_utils	1.0.6
`static.snyk.io`	gb_utils	1.0.9
`static.snyk.io`	gb_utils	1.1.1
`static.snyk.io`	gb_utils	1.1.2
`static.snyk.io`	gb_utils	1.1.3
`static.snyk.io`	mobbdev	0.0.35
`static.snyk.io`	mobbdev	0.0.36
`static.snyk.io`	mobbdev	0.0.37
`webhook.site`	ccfedrtest-poc	1.0.13
`webhook.site`	darkhat-hard-to-find-package-do-not-require-it	1.0.1
`webhook.site`	lab-npm-package	1.0.7
`webhook.site`	lab-npm-package	1.0.8
`webhook.site`	lab-npm-package	2.0.1
`webhook.site`	lab-npm-package	2.0.2
`www.uuidgenerator.net`	@lightdash/cli	0.763.0
`www.uuidgenerator.net`	@lightdash/cli	0.764.0
`www.uuidgenerator.net`	@lightdash/cli	0.764.1
`www.uuidgenerator.net`	@lightdash/cli	0.765.2
`www.uuidgenerator.net`	@lightdash/cli	0.773.4
`www.uuidgenerator.net`	@lightdash/cli	0.775.1
`www.uuidgenerator.net`	@lightdash/cli	0.776.3

Further Ideas:

join with current NPM package state to see what is already yanked
- e.g. "version":"0.0.1-security","description":"security holding package","repository":"npm/security-holder"
pivot from package to author to other packages
find packages that depend on a malicious package