Public Incident Registry

Recorded before it happened.

A public registry of documented supply chain attacks — automated findings from Prechained's threat detectors, plus community-submitted incidents. Each entry links to a cryptographic receipt proving what the package contained at capture time. To investigate a specific actor or package, use Threat Intel ↗

Auto-detected Findings
5
Documented Incidents
Ecosystems Covered
100%
Pre-disclosure Rate
Documented Incidents
HIGH npm ✓ PRE-INCIDENT RECORD
codexui-android
Codex Auth Token theft via hidden code in dist-cli/chunk-PUR7OUAG.js. Tokens exfiltrated to sentry.anyclaw.store. Flagged by @safedepio May 27, 2026.
May 27, 2026
✓ Captured at disclosure
Receipt ID
NGR-PC-MP05TS6K9B1UZ5
Captured At
May 27, 2026 · 7:29 AM UTC
Maintainer
friuns / dorumonstr@gmail.com
Attack Vector
Hidden postinstall script exfiltrating Codex auth tokens to attacker-controlled domain
Exfil Endpoint
sentry.anyclaw.store/startlog
Disclosed By
@safedepio on X · May 27, 2026
SHA-384
f18d8cdab01c4b6235b9a6d14460bf61...
🔗 Verify Receipt 📦 View Archive →
HIGH npm ✓ PRE-INCIDENT RECORD
mouse5212-super-formatter
Malicious npm package attributed to hawknation22@gmail.com / hpruitt22. New actor, no prior publishing history.
May 26, 2026
✓ Pre-incident record
Maintainer
hawknation22@gmail.com / hpruitt22
First Seen
May 26, 2026 · 11:17 AM
Threat Flags
NEW_ACTOR — first appearance, no prior publishing history
🔍 Investigate Actor → 📦 View Archive →
HIGH npm PyPI GitHub ✓ PRE-INCIDENT RECORD
GlassWorm Campaign
Multi-vector supply chain campaign poisoning 300+ GitHub repositories via malicious VS Code extensions, compromised npm packages, and trojanized Python packages. Infrastructure used Solana, BitTorrent DHT, and Google Calendar for C2.
May 22, 2026
✓ Pre-incident record
Known Packages
token-usage-tracker (npm) · cryptowallet-safety (PyPI) · eth-security-auditor (PyPI) · ddjidd564/env-security-scanner (GitHub)
Known Actors
ddjidd564 · asdxzxc · asdmini67 · dae5411
First Detected
October 2025
Disrupted
May 27, 2026 — reported by The Hacker News
C2 Infrastructure
Solana blockchain · BitTorrent DHT · Google Calendar · VPS
Prechained Records
Actor identities indexed May 22, 2026 — packages captured at first appearance
🔍 Investigate Actors → 📦 token-usage-tracker →
HIGH GitHub ✓ PRE-INCIDENT RECORD
limitbreak-remote/AjunaVerse_MVP
High-velocity publishing campaign — 4 versions in 60 minutes triggering automated malware pattern detection. Attributed to gustavo@remote-limitbreak.com / gustavo601.
May 11, 2026
✓ Pre-incident record
Maintainer
gustavo@remote-limitbreak.com / gustavo601
Detected
May 11, 2026 · 10:49 PM
Threat Flags
HIGH_VELOCITY — 4 versions in 60 minutes · NEW_ACTOR
🔍 Investigate Actor → 📦 View Archive →
MEDIUM npm ✓ PRE-INCIDENT RECORD
durabletask
Malicious npm package attributed to actor "atool". New actor with no prior publishing history flagged at first appearance.
May 18, 2026
✓ Pre-incident record
Actor
atool
First Seen
May 18, 2026 · 5:00 PM
Threat Flags
NEW_ACTOR
🔍 Investigate Actor → 📦 View Archive →
Submit an Incident
Know of a supply chain attack that Prechained may have a pre-incident record for? Submit it. Include the package name, ecosystem, and any public disclosure link. Every verified submission gets added to this registry.