ThreatFox IOC Database

You are viewing the ThreatFox database entry for domain probe-worker.hugebigballs87.workers.dev.

Database Entry

Add tag Delete this IOC  Report False Positive Export IOC (JSON)    Export IOC (CSV)
IOC ID:1781010
IOC: probe-worker.hugebigballs87.workers.dev
IOC Type :domain
Threat Type :payload_delivery
Malware: Unknown malware
Confidence Level : Confidence level is high (100%)
Is compromised? : False
ASN:AS13335 CLOUDFLARENET
Country:- US
First seen:2026-04-04 11:52:09 UTC
Last seen:never
UUID:367af3f8-300f-11f1-9af6-42010aa4000a
Reporter tipo_deincognito
Reward 5 credits from ThreatFox
Tags:credential-stealer npm postinstall supply-chain

Avatar
tipo_deincognito
C2 exfil domain for npm/serverless-env-helpers (v1.0.0 also used probe.nrcerne.com, dead). Postinstall hook runs on npm install, silently exfils: full process.env, AWS credentials, npm tokens, Docker config, .gitconfig, .netrc, IMDSv2/ECS cloud metadata, directory listings. DNS exfil fallback: encodes env as subdomain label to dns.<domain>. Targets CI/CD build servers. Endpoint: /collect (POST, base64 body). Confirmed live (HTTP 200).