Hypothesis-driven hunts across endpoint, cloud, and identity environments. Real hunts, real findings.
Endpoints that ran npm install resolving axios@1.14.1 or axios@0.30.4 between 2026-03-31 00:21 and ~03:15 UTC executed a cross-platform RAT dropper. The postinstall hook, C2 connections, and platform-specific payloads are detectable in default EDR telemetry.
Full dropper chain and RAT execution confirmed via controlled detonation. No customer impact. Built behavioral D&R rules for npm postinstall abuse and cross-platform RAT delivery.
Endpoints that installed litellm v1.82.7 or v1.82.8 from PyPI on March 24 are compromised. The .pth trigger, openssl encryption chain, and systemd persistence are detectable in EDR telemetry.
Caught the .pth auto-exec trigger and openssl encryption pipeline on a compromised host. Built behavioral queries that detect the technique independent of IOCs.
Unsigned binaries and DLLs appearing in ProgramData subfolders that don't belong to known, installed software indicate DLL sideloading activity.
Found a DeerStealer variant using a Comodo-signed binary sideloading cmdres.dll, with HijackLoader injecting DeerStealer into a hollowed Q-Dir process.