IOC Radar
TLP:WHITE7 IOCs

Threat Intelligence | Shai-Hulud Supply Chain Poisoning: Cloud Credential Theft and…

SL
SlowMist
Published May 21, 2026Original Report

Diamond Model

SOCIAL AXISTECHNOLOGY AXISADVERSARYunknownINFRASTRUCTUREhttp://169.254.169.254https://t.m-kosche.co…https://t.m-kosche.co…CAPABILITYunknownVICTIMunknown
Adversary
Infrastructure(3)
Capability
Victim

Attack Flow8 steps · MITRE ATT&CK mapped

Initial AccessTA0001·T1195
1/8
Supply Chain Compromise
ActionPoison supply chain packages
Malicious code was implanted into popular npm packages, including those from Alibaba's AntV suite.

5W+H Threat Analysis

Analysis unavailable

Indicators of Compromise

Indicators of Compromise7

TypeIndicatorConfidenceScoreFirst Seen
SHA11916faa365f2788b6e193514872d51a242876569
file-hashindicatorintel-blog
High
56
Jun 2, 26
SHA256e37e3ddeeaaa9e0c4fdbcb829b4895a6521031c80053fc436625b61e6ee5b1a6
file-hashintel-blogsupply-chain
Medium
53
Jun 2, 26
URLhttp://169.254.169.254
exploitintel-blognetwork
High
58
Jun 2, 26
URLhttps://t.m-kosche.com/api/public/otel/v1/traces;
intel-blogmalwarenetwork
High
58
Jun 2, 26
URLhttps://t.m-kosche.com:443/api/public/otel/v1/traces
intel-blognetworkurl
High
58
Jun 2, 26
SHA17cb42f57561c321ecb09b4552802ae0ac55b3a7a
file-hashindicatorintel-blog
High
56
Jun 2, 26
SHA256a68dd1e6a6e35ec3771e1f94fe796f55dfe65a2b94560516ff4ac189390dfa1c
file-hashindicatorintel-blog
Medium
53
Jun 2, 26

IOC Relationship Graph

IOC Relationship Graph7 total IOCs
SHA1SHA256URL
URL3SHA12SHA2562REPORTThreat Intelligence | Shai
scroll to zoom · drag to pan · click IOC to open