Public malware intelligence for exposed build paths.
Malware notes focus on package behavior, build-artifact droppers, credential theft patterns, and infrastructure reuse observed during authorized BleedWatch scanning.
NPM script
postinstall-token-siphon
postinstall script collects npmrc and cloud CLI tokens before forwarding to a rotating endpoint.
PyPI wheel
setup-py-dropper
setup.py executes platform-specific loader and attempts shell history collection.
Docker layer
registry-harvester
entrypoint enumerates mounted registry credentials and posts metadata to public relay.
GitHub Action
workflow-env-leak
composite action echoes selected environment variables into build artifacts.
NPM package
typo-aws-sdk-helper
typosquat package mimics common AWS helper and fingerprints project configuration.
PyPI package
telemetry-confuser
package includes excessive telemetry endpoints with unclear disclosure.
Container entrypoint
curlpipe-bootstrap
runtime bootstrap pulls mutable shell script over HTTP before launching service.
Package metadata
maintainer-takeover-cluster
publisher account changed across related package family before suspicious version bump.
ALREADY SHIPPED
Refresh applied. Live data fed from app.bleedwatch.com.
The public index presents representative indicator structure. Customer-specific malware evidence, hashes, route ownership, and remediation status remain in the authenticated dashboard.