Rendered Analysis Notebooks
These notebooks are the technical appendix to the incident report. They walk through the exploit mechanics, code path, data flow, stage-two behavior, IOC derivation, network failure, and evidence boundaries.
They are not live notebooks. They do not execute attacker-provided code in the browser. They use sanitized excerpts, fake data, public indicators, and derived summaries so readers can inspect the reasoning safely.
Suggested Reading Order
Read in order. The sequence moves from trust boundaries to entrypoint, import graph, data flow, stage features, network behavior, IOC derivation, and final claim classification.
- Analysis Map and Safety Boundary
Maps the complete incident architecture, public/private evidence boundary, and claim-confidence model.
- npm Lifecycle Entrypoint Analysis
Dissects the prepare command, cross-platform fallback, backgrounding, and npm-to-Node process ancestry.
- Node Import Chain and Side Effects
Reconstructs the CommonJS import graph, top-level calls, and response-to-code authority transfer.
- First-Stage Environment Exfiltration Dataflow
Tracks configuration and process-environment data into the first-stage POST using redacted values.
- Stage-Two Static Feature Analysis
Derives host-profiling, beaconing, polling, and tasking features without publishing the hostile body.
- Beacon and Network Path Analysis
Models fake beacon fields and explains the undici, TCP, route, blackhole, and ENETUNREACH path.
- IOC and Artifact Derivation
Normalizes the public indicators and shows how defensive CSV/JSON outputs are derived safely.
- Evidence Boundary and Claim Classification
Builds a claim matrix separating proven, observed, likely, plausible, and unsupported conclusions.
Safety Boundary
The collection uses reviewed sanitized excerpts, fake fixtures, derived feature summaries, and indicators already published in the report. Raw executable payloads, raw environment captures, and private credential findings are intentionally withheld.