Evidence Boundary and Claim Classification¶
Safety boundary: This workbook performs static analysis of sanitized excerpts, fake fixtures, and derived public metadata. It does not execute attacker code, inspect the analyst's environment, or contact any network.
Why This Notebook Matters¶
Incident reports fail when possibility is rewritten as fact. This case has a clear ladder:
code capability
!= observed local execution
!= likely transmission
!= proven completed transmission
The matrix below turns each material claim into a classification, supporting artifact, missing proof source, publication-safe wording, and defensive control.
claims = [
{
"claim": "root npm install was executed",
"classification": "observed",
"artifact": "victim account plus preserved install/runtime context",
"missing_evidence": "complete shell audit trail",
"public_wording": "The user ran the root install.",
"control": "review before install; isolated host",
},
{
"claim": "prepare supplied automatic execution capability",
"classification": "proven",
"artifact": "preserved pre-containment package manifest",
"missing_evidence": "none for capability",
"public_wording": "The prepare lifecycle created an automatic execution path.",
"control": "disable lifecycle scripts during first review",
},
{
"claim": "node server launched through the fallback path",
"classification": "observed",
"artifact": "manifest command plus reconstructed nohup runtime evidence",
"missing_evidence": "full process accounting",
"public_wording": "Runtime evidence is consistent with the Linux fallback launch.",
"control": "alert on npm -> shell -> nohup -> node ancestry",
},
{
"claim": "server import chain reached socket/auth logic",
"classification": "observed",
"artifact": "static import chain plus executor origin in runtime trace",
"missing_evidence": "module-load telemetry",
"public_wording": "The import chain reached the first-stage loader path.",
"control": "review top-level module calls",
},
{
"claim": "environment POST path occurred",
"classification": "likely",
"artifact": "first-stage code plus returned stage-two execution",
"missing_evidence": "receiver log or preserved request body",
"public_wording": "The first-stage environment POST likely succeeded.",
"control": "empty environment and egress deny",
},
{
"claim": "serverless endpoint returned stage-two JavaScript",
"classification": "proven",
"artifact": "captured response hash plus runtime executor trace",
"missing_evidence": "none for returned captured bytes",
"public_wording": "The endpoint returned the captured stage, which the loader executed.",
"control": "never grant response text execution authority",
},
{
"claim": "stage two attempted direct-IP C2",
"classification": "observed",
"artifact": "public IOC plus connect ENETUNREACH runtime error",
"missing_evidence": "full packet capture",
"public_wording": "The stage attempted a direct-IP connection that failed in the observed run.",
"control": "direct-IP egress block and process-network monitoring",
},
{
"claim": "direct-IP C2 completed",
"classification": "not proven",
"artifact": "observed error weighs against completion",
"missing_evidence": "successful handshake, response, or server log",
"public_wording": "Direct-IP C2 completion was not demonstrated.",
"control": "retain flow and packet telemetry",
},
{
"claim": "remote tasking executed",
"classification": "not proven",
"artifact": "capability exists in static stage features",
"missing_evidence": "task response and resulting local effect",
"public_wording": "Remote tasking was possible but not observed.",
"control": "block egress and detect response-to-code flows",
},
{
"claim": "credential files were stolen",
"classification": "not evidenced",
"artifact": "not shown in captured stage",
"missing_evidence": "file access plus transmission evidence",
"public_wording": "Credential-file theft was not evidenced.",
"control": "secret isolation and file-access telemetry",
},
{
"claim": "wallet files were stolen",
"classification": "not evidenced",
"artifact": "not shown in captured stage",
"missing_evidence": "wallet-file access plus transmission evidence",
"public_wording": "Wallet-file theft was not evidenced.",
"control": "separate wallets from review hosts",
},
]
claims
from collections import Counter
Counter(row["classification"] for row in claims)
Reading the Matrix¶
- Proven answers a narrow proposition directly from preserved evidence.
- Observed means runtime or user evidence shows the path occurred.
- Likely is a strong inference with a named missing proof source.
- Plausible should be reserved for architecturally possible follow-on action.
- Not proven means evidence does not close the claim.
- Not evidenced means the reviewed artifacts do not show the behavior.
Absence of proof is not always proof of absence. But public wording must remain inside the available evidence, especially for high-impact claims such as credential or wallet theft.
publication_test = [
{
"question": "Does the wording name the supporting artifact?",
"required": True,
},
{
"question": "Does it separate capability from execution?",
"required": True,
},
{
"question": "Does it identify missing network or receiver evidence?",
"required": True,
},
{
"question": "Would a reasonable reader mistake possibility for fact?",
"required_answer": "no",
},
]
publication_test
Final Evidence-Bound Conclusion¶
The strongest public conclusion is that the root install activated the
lifecycle path, the import chain reached the loader, returned stage-two code
executed, and that stage attempted a direct-IP connection. The observed
connection failed with ENETUNREACH.
The first-stage environment POST likely completed because a stage was returned, but the exact received body is withheld and not fully asserted. Direct-IP C2 completion, remote task execution, credential-file theft, and wallet-file theft remain unproven or not evidenced.
The operational lesson is broader than this repository: treat package install, module import, remote response handling, environment reachability, and network egress as explicit trust boundaries. Preserve enough telemetry to distinguish what code could do from what it actually did.