We deobfuscated a massive campaign of 148 npm packages, including ilovefemboys, miguelphonk, and charlie-kirk. Disguised as student web proxies under names like Riverbend Tutoring, these packages hid mutable remote code execution vectors and a high-performance Wisp-compatible WebSocket traffic generator. They were designed to silently enlist visiting browsers into distributed denial-of-service botnets while generating aggressive popunder advertising revenue.

During a recent registry audit, we identified a highly active npm malware campaign consisting of 148 packages published under suspicious names. The first wave was uploaded beginning on May 27, 2026, by the npm account terminal3airport, followed by a newer wave on July 8, 2026, by eerikakirk. Many of these packages were removed from npm, but several remained active, including charlie-kirk version 2.0.0 and version 3.0.1.
The campaign's public-facing presentation is a web proxy application branded as "Lucide," disguised as a tutoring landing page named "Riverbend Tutoring" or "Northstar Tutoring." When a user visits the proxy page, the application functions normally, allowing students to browse restricted websites or play games. However, beneath this functional facade, the application executes a series of malicious scripts that connect visitor browsers to a coordinated, remotely controlled traffic-generation network.

The Lucide Proxy website archived on May 18, 2026, during the period when the remote loader and Wisp traffic generator were present.
This campaign is not a traditional dependency infection. The packages contain no installation lifecycle hooks or native node build scripts. Instead, they abuse the npm registry as a free, high-bandwidth content delivery network to host the static browser application assets. Users are affected when they visit any instance of these web proxies, turning their browser sessions into active denial-of-service nodes.
The early wave of this campaign was covered by SafeDep in a brief advisory, which documented 141 packages published by the terminal3airport account. At the time, prior reporting classified the campaign purely as adware spam and npm registry abuse. SafeDep noted that the packages hosted an ad-supported Scramjet proxy targeting student users to generate click revenue via popunders.
However, static analysis and deobfuscation of the active entry bundles reveal that the campaign carries highly toxic capabilities that were completely undocumented. By tracing the historical evolution of the upstream builds and retrieving archived payloads from the Internet Archive, we recovered the actual operational history of the campaign. During a critical window in late May, the operators actively weaponized the proxy network, turning each visiting student's browser into a high-rate HTTP flood source and a protocol-level WebSocket traffic generator.
We traced the campaign back to a group of closely coordinated GitHub accounts and infrastructure.
The active application assets were compiled and distributed from a public GitHub repository under the organization lucideproxy. Metadata from GitHub reveals a tight registration timeline:
- The account
coinbaselarperwas created on April 12, 2026, at 02:34:09 UTC. - The account
simswaplarperwas created exactly 43 seconds later, at 02:34:52 UTC. - The
lucideproxyorganization was created at 02:46:33 UTC, just twelve minutes aftercoinbaselarper. - The build repository
lucideproxy/svgwas created at 03:54:05 UTC.
Most commits in the build repository were authored by coinbaselarper, who listed the public commit email main@geeked.wtf and the Discord alias @ap5z. A second account, svg-bot, registered with the email stefanvangetson54@gmail.com, was also used to automate publication.
The hosting footprints are highly concentrated. A pivot on the campaign's stable Google Analytics property (G-0VL3ZSBXDH) and monetization domains recovered 93 deployment hostnames. Ninety of these deployments resolved to a single IP address: 92.38.177.17, hosted in AS199524 (G-Core Labs).
The domains used for these deployments were deep, rapidly changing, education-themed subdomains, such as:
teamparker.id.au(37 scans)homeless.camdvr.org(21 scans)appleishealthy.duckdns.org(16 scans)
The threat actors also registered a large number of bizarre, highly specific npm package names. Standalone titles include charlie-kirk, testdonotredeemit, acidic, backupgenuine-updated, bismillahitidakimas, bomboclatwallahi, captainindia, crazynut, fflc-updated, howmanygreatbritain, kirkland, lowkeybored, lowkirkuenly, midnightrush, miguelphonk, omglucidesotuff, omgyesyesyes, pasirianspirit, thebigyahu, whatsadmaidk, changiairportpromax, and ilovefemboys.
The rest of the campaign consists of numbered batches. These include the abuden, imillegal, ishowfeet, nottuff, ratelimitsucks, sixseven, speed, backupsitetuff, and timmytuffknuckles families of packages. The actor also used a loosely numbered backup family, with names such as backup1-gg up to backup5-updated.
The entry point of the application is loaded from index.html, which runs assets/73sxysj46r.js. This file was distributed as a 5.4 MB, single-line bundle with heavy string arrays, rotation functions, hex-identifier decoding, and arithmetic expressions used to hide simple constants. Before deobfuscation, the original file was a single, massive line of code. After passing it through static deobfuscation, this single line of code expanded into over 20,600 lines of fully structured, readable JavaScript, exposing the hidden logic.
Upon loading, and before any user interface is rendered, the application tail-executes two hidden modules:

The functions G2() and I2() are responsible for the remote code execution and traffic generation capabilities, respectively.
Before deobfuscation, the jsDelivr URL is assembled from decoder calls and partial strings, while the loader function is buried beneath generated identifiers and numeric lookup tables:

After running the deobfuscator, the mutable remote URL and the script injection sequence become explicit:

This loader implements several dangerous design patterns:
- Mutable Target: The loader targets the mutable
mainbranch of a GitHub repository rather than an immutable commit hash. - No Integrity Checks: No Subresource Integrity (SRI) hash is provided, allowing the owner of the GitHub account
canyoupleasesaysomethingto change the code executed by every visitor at any time. - Full Origin Privilege: The loaded script runs with the same origin privileges as the proxy app, giving it full access to cookies, local storage, and same-origin API endpoints.
- Concealed Source: The
referrerPolicy = "no-referrer"attribute reduces the referrer visibility in the request, helping to conceal the originating site.
Although the GitHub repository canyoupleasesaysomething/cdn returned HTTP 404 at our analysis time, we recovered a historical response from May 30, 2026, using Wayback Machine archives. This snapshot captured the actual second-stage payload (cdn.js) that was actively served to visitor browsers.
The recovered script was extremely simple but highly destructive:

This payload is an unthrottled browser-based HTTP flood:
- It sets an interval that runs every 500 milliseconds.
- Every half-second, it generates a fresh one-million-character string using
"a".repeat(1000000). - It serializes this string into a JSON request body and issues a cross-origin
POSTrequest tocdn.caan.edu, the public network domain of the CAAN Academy of Nursing in Matteson, Illinois. - Because the interval is unthrottled and does not await the response of prior requests, the client browser will continuously pile up outgoing requests, consuming all available system memory and upload bandwidth.
- At a rate of two 1MB requests per second, each active proxy visitor generates roughly 2 megabytes per second of raw upload traffic. A fleet of only 1,000 active visitors would generate an aggregate flood of 2 gigabytes per second, easily overwhelming a school's public website.
- The randomized query parameter
vdefeats caching proxies, andmode: "no-cors"allows the simple cross-origin POST to skip CORS preflight, ensuring the packet is sent immediately.
The same contrast appears in the WebSocket module. Before deobfuscation, the configuration URL and operational constants are reconstructed through decoder calls and arithmetic:

The deobfuscated output reveals the mutable websocket.txt endpoint, the 1,024-socket limit, the localhost destination, and the loop that staggers each connection by 120 milliseconds:

The application fetches websocket.txt with cache: "no-store" to bypass browser cache and retrieve the configuration in real-time. It parses the text file for two values: a target WebSocket URL (ws:// or wss://) and a numeric connection count constrained between 1 and 1,024.
An archived copy of websocket.txt recovered from the attacker's GitHub repository contained:

This configuration instructed each visitor's browser to open 30 WebSocket connections to the specified Wisp endpoint. At analysis time, lunaron.top was itself hosting a working web proxy:

The live Lunar v2 proxy hosted at lunaron.top, captured on July 13, 2026. While the domain is currently used for standard ad-supported proxy hosting and does not actively serve the weaponized Lucide DDoS modules, it remains unsafe as it actively injects malvertising scripts from profitablecpmratenetwork.com into visitor sessions.
Once parsed, the application enters a staggered loop, launching the connection pool with a 120-millisecond delay between sockets.
Once a WebSocket connection is successfully established with the target, the application sets the socket's binaryType to arraybuffer. Every 100 milliseconds, each of the active connections sends a pair of binary packets: a CONNECT packet followed immediately by a CLOSE packet.
These packets are built using little-endian byte orders and match the transport semantics of the Wisp v2 protocol:
Connect Packet Structure (17 bytes):
- Offset 0:
0x01(Connect Opcode) - Offset 1: Stream ID (4-byte little-endian)
- Offset 5:
0x01(Hostname address type) - Offset 6: Port 1 (2-byte little-endian)
- Offset 8:
localhost(9-byte ASCII string)
Close Packet Structure (6 bytes):
- Offset 0:
0x04(Close Opcode) - Offset 1: Same Stream ID (4-byte little-endian)
- Offset 5:
0x02(Close reason/status code)
Because the proxy application utilizes a Scramjet and Wisp background bridge to route browser traffic, these packets are syntactically valid Wisp control frames. The target is not the visiting user's local machine, but rather the remote Wisp proxy server.
By sending a rapid stream of CONNECT frames targeting localhost:1 followed by a CLOSE frame for the same stream ID, a single visitor's browser asks the remote Wisp server to establish and destroy up to 10,240 socket connections per second.
In legacy Wisp implementations, such as Mercury Workshop's wisp-server-node, each received CONNECT frame triggers the immediate instantiation of a new net.Socket and launches an asynchronous socket connection without verifying if the target is a loopback or private address. Additionally, the server logs every connection attempt at the INFO level.
At the maximum configuration of 1,024 concurrent WebSockets, a single browser session can force a target Wisp server to process:
- 10,240 socket allocations and connection attempts per second.
- 10,240 corresponding socket destructions.
- Over 20,000 log writes per second.
This control-plane attack easily exhausts the target server's file descriptor limits, floods its log storage, and crashes the proxy service entirely.
To verify these capabilities without risking live network calls, we performed a sandboxed local simulation. Feeding the decompiled variables into a mock browser runtime proved that the remote code easily extracts cookies and local storage tokens, sending them back to the attacker via beaconing. The loopback test also captured the exact binary frames of the Wisp protocol:

This confirmed our manual packet-level reconstruction, demonstrating that the Wisp protocol encoder functions exactly as designed to generate coordinated control-plane traffic.
An analysis of 22 public commits in the lucideproxy/svg build repository reveals a rapid evolution of features and threat levels over a very short timeframe:
| Date | Event | Malicious Modules |
|---|---|---|
| March 5, 2026 | Earliest Lucide page observed utilizing GA property G-0VL3ZSBXDH and reverse DNS geeked.wtf. |
None (Adware Only) |
| March 16, 2026 | First traffic monetized via woofbeginner.com scripts. |
None (Adware Only) |
| May 16, 2026 | Commit bcc9868e345b6 adds the remote script loader cdn.js just 33 minutes after the GitHub account canyoupleasesaysomething was created. |
Remote Loader (RCE) |
| May 17, 2026 | Commit 9b7ca53d6bd8c adds the Wisp WebSocket generator, capped at 64 sockets. |
Remote Loader + Wisp Flood (64 sockets) |
| May 17, 2026 | Commit ccc7c921bc931 introduces full-bundle obfuscation and increases the maximum socket limit to 1,024. |
Remote Loader + Wisp Flood (1,024 sockets) |
| May 30, 2026 | Wayback records active HTTP flood attacking cdn.caan.edu from visitor browsers. |
Active HTTP Flood |
| May 31, 2026 | Commit cf741e982181a removes the remote script loader and Wisp modules, returning the build to standard ad-supported files. |
None (Adware Only) |
| July 8, 2026 | A second wave brings the campaign total to 148 packages under account eerikakirk, containing the obfuscated, ad-monetized builds. |
None (Adware Only) |
The timeline shows that the aggressive DDoS capabilities were active for a window of roughly two weeks in May 2026. After public reporting began, the operators cleanly stripped the remote loader and Wisp traffic generators from the upstream repository, reverting the build back to standard popunder adware. The wave of packages published in July 2026 contains these later, adware-only builds.
However, because the underlying application structure remains heavily obfuscated and continues to load external third-party scripts from domains like c.vipersfutbol.com, the threat actor preserves the ability to re-introduce malicious capabilities or direct traffic dynamically.
Because this threat is delivered as a client-side web application rather than an installation-phase implant, the remediation steps focus on identifying hosting instances, protecting student workstations, and blocking infrastructure communication.
Network administrators, particularly in educational and corporate environments where student web proxies are frequently accessed, should immediately block the following domains at the DNS level:
woofbeginner.comc.vipersfutbol.comrealizationnewestfangs.comprotrafficinspector.compreferencenail.comskinnycrawlinglax.comcdn.conditionfuneral.comlucideon.topwisp.breadarchive.dpdns.org21baseballacademy.com
Users who have visited any of the affected proxy websites should clear their browser data to remove registered service workers and cached assets:
- Open the browser's settings menu.
- Select Clear Browsing Data.
- Choose to delete Cached images and files and Cookies and other site data for all time.
- For advanced users, navigate to
chrome://serviceworker-internals/or the equivalent path in your browser and unregister any service worker registered by a tutoring or proxy domain.
If your build pipelines or development environments have fetched any package listed in this campaign, remove every matching package from dependency manifests and lockfiles. Rebuild affected environments from clean sources, then verify that none of the package names in the table below remain in direct or transitive dependencies.
| Package Name | Malicious Versions | Xray ID |
|---|---|---|
charlie-kirk |
2.0.0, 3.0.1 | XRAY-1026483 |
ilovefemboys |
1.1.3, 2.0.0 | XRAY-1026418 |
abuden1 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026380 |
abuden2 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026396 |
abuden21 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026474 |
abuden210 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026403 |
abuden211 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026461 |
abuden212 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026478 |
abuden213 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026451 |
abuden214 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026372 |
abuden215 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026376 |
abuden216 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026433 |
abuden217 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026518 |
abuden218 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026472 |
abuden219 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026485 |
abuden22 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026484 |
abuden220 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026498 |
abuden221 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026448 |
abuden222 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026493 |
abuden223 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026425 |
abuden224 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026444 |
abuden225 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026456 |
abuden226 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026440 |
abuden227 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026419 |
abuden228 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026491 |
abuden229 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026502 |
abuden23 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026473 |
abuden230 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026515 |
abuden24 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026452 |
abuden25 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026409 |
abuden26 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026463 |
abuden27 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026400 |
abuden28 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026458 |
abuden29 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026454 |
abuden3 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026519 |
abuden4 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026416 |
abuden5 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026462 |
acidic |
2.0.0 | XRAY-1026252 |
backup1-gg |
1.1.2, 2.0.0 | XRAY-1026432 |
backup2-asd |
1.1.2, 2.0.0 | XRAY-1026385 |
backup3-ff |
1.1.2, 2.0.0 | XRAY-1026508 |
backup4-gasp |
1.1.2, 2.0.0 | XRAY-1026445 |
backup5-updated |
1.1.2, 2.0.0 | XRAY-1026453 |
backupgenuine-updated |
1.1.2, 2.0.0 | XRAY-1026466 |
backupsitetuff10 |
1.1.7, 2.0.0 | XRAY-1026481 |
backupsitetuff3 |
1.1.7, 2.0.0 | XRAY-1026407 |
backupsitetuff6 |
1.1.7, 2.0.0 | XRAY-1026422 |
backupsitetuff9 |
1.1.7, 2.0.0 | XRAY-1026467 |
bismillahitidakimas |
1.1.2, 2.0.0 | XRAY-1026381 |
bomboclatwallahi |
1.1.2, 2.0.0 | XRAY-1026497 |
captainindia |
1.1.2, 2.0.0 | XRAY-1026388 |
crazynut |
1.1.2, 2.0.0 | XRAY-1026374 |
fflc-updated |
1.1.2, 2.0.0 | XRAY-1026512 |
howmanygreatbritain |
1.1.2, 2.0.0 | XRAY-1026404 |
imillegal1 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026475 |
imillegal2 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026441 |
imillegal3 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026389 |
imillegal4 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026511 |
imillegal5 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026414 |
ishowfeet1 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026428 |
ishowfeet10 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026471 |
ishowfeet11 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026394 |
ishowfeet12 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026490 |
ishowfeet13 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026505 |
ishowfeet14 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026426 |
ishowfeet15 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026501 |
ishowfeet16 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026486 |
ishowfeet17 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026420 |
ishowfeet18 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026417 |
ishowfeet19 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026438 |
ishowfeet2 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026487 |
ishowfeet20 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026410 |
ishowfeet3 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026408 |
ishowfeet4 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026455 |
ishowfeet5 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026436 |
ishowfeet6 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026406 |
ishowfeet7 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026386 |
ishowfeet8 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026401 |
ishowfeet9 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026446 |
kirkland |
1.1.2, 2.0.0 | XRAY-1026402 |
lowkeybored |
1.1.2, 2.0.0 | XRAY-1026378 |
lowkirkuenly |
1.1.2, 2.0.0 | XRAY-1026507 |
midnightrush |
1.1.2, 2.0.0 | XRAY-1026465 |
miguelphonk |
1.1.2, 2.0.0 | XRAY-1026517 |
nottuff1 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026464 |
nottuff10 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026450 |
nottuff11 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026373 |
nottuff12 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026379 |
nottuff13 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026468 |
nottuff14 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026423 |
nottuff15 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026391 |
nottuff16 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026449 |
nottuff17 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026447 |
nottuff18 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026499 |
nottuff19 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026383 |
nottuff2 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026470 |
nottuff20 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026421 |
nottuff21 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026459 |
nottuff22 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026480 |
nottuff23 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026479 |
nottuff24 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026488 |
nottuff25 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026442 |
nottuff26 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026399 |
nottuff27 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026434 |
nottuff28 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026415 |
nottuff29 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026382 |
nottuff3 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026489 |
nottuff30 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026439 |
nottuff4 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026443 |
nottuff5 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026424 |
nottuff6 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026413 |
nottuff7 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026390 |
nottuff8 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026495 |
nottuff9 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026392 |
omglucidesotuff |
1.1.2, 2.0.0 | XRAY-1026482 |
omgyesyesyes |
1.1.2, 2.0.0 | XRAY-1026504 |
pasirianspirit |
1.1.2, 2.0.0 | XRAY-1026405 |
ratelimitsucks |
1.1.2, 1.1.7, 1.7.7, 2.0.0 | XRAY-1026494 |
ratelimitsucks1 |
1.1.3, 1.1.7, 2.0.0 | XRAY-1026503 |
ratelimitsucks10 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026516 |
ratelimitsucks2 |
1.1.4, 1.1.7, 1.7.7, 2.0.0 | XRAY-1026429 |
ratelimitsucks3 |
1.1.5, 1.1.7, 2.0.0 | XRAY-1026435 |
ratelimitsucks4 |
1.1.6, 1.1.7, 2.0.0 | XRAY-1026460 |
ratelimitsucks5 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026430 |
ratelimitsucks6 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026510 |
ratelimitsucks9 |
1.1.7, 2.0.0 | XRAY-1026398 |
sixseven1 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026457 |
sixseven10 |
1.7.7 | XRAY-1026276 |
sixseven2 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026375 |
sixseven3 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026393 |
sixseven4 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026384 |
sixseven5 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026509 |
sixseven6 |
1.1.7, 1.7.7, 2.0.0 | XRAY-1026395 |
sixseven7 |
1.7.7 | XRAY-1026279 |
sixseven8 |
1.7.7 | XRAY-1026269 |
sixseven9 |
1.7.7 | XRAY-1026250 |
speed1 |
1.1.7, 2.0.0 | XRAY-1026469 |
speed2 |
1.1.7, 2.0.0 | XRAY-1026506 |
speed3 |
1.1.7, 2.0.0 | XRAY-1026427 |
speed4 |
1.1.7, 2.0.0 | XRAY-1026411 |
speed5 |
1.1.7, 2.0.0 | XRAY-1026476 |
thebigyahu |
1.1.2, 2.0.0 | XRAY-1026492 |
timmytuffknuckles3 |
1.1.7, 2.0.0 | XRAY-1026496 |
timmytuffknuckles6 |
1.1.7, 2.0.0 | XRAY-1026387 |
timmytuffknuckles9 |
1.1.7, 2.0.0 | XRAY-1026377 |
whatsadmaidk |
1.1.2, 2.0.0 | XRAY-1026513 |
changiairportpromax |
1.1.3, 2.0.0 | XRAY-1026514 |
testdonotredeemit |
1.0.0, 2.0.0, 2.1.1 | XRAY-1026313 |
The Lucide Proxy campaign illustrates the risks of using third-party unblocking applications and proxies. While students and general users perceive these services as convenient bypass utilities, the underlying infrastructure can be, and has been, used as a weaponized browser botnet. By leveraging mutable remote scripts and high-concurrency connection pools, the threat actors demonstrated how easily static web assets can conduct massive, coordinated floods without direct system infection. Security teams must monitor and block the associated infrastructure domains to keep network resources safe from silent background abuse.
https[:]//cdn[.]jsdelivr[.]net/gh/canyoupleasesaysomething/cdn@main/cdn[.]jshttps[:]//cdn[.]jsdelivr[.]net/gh/canyoupleasesaysomething/cdn@main/websocket[.]txthttps[:]//cdn[.]caan[.]edu/-/?v=https[:]//woofbeginner[.]com/jivd2xu8https[:]//woofbeginner[.]com/0a/91/35/0a913561831bdf2c26dcf18b852b5cc1[.]jshttps[:]//wisp[.]breadarchive[.]dpdns[.]orghttps[:]//21baseballacademy[.]comhttps[:]//lucideon[.]tophttps[:]//c[.]vipersfutbol[.]com/script[.]jshttps[:]//realizationnewestfangs[.]comhttps[:]//protrafficinspector[.]com/statshttps[:]//preferencenail[.]com/sfp[.]jshttps[:]//skinnycrawlinglax[.]com/dnn2hkn8https[:]//cdn[.]conditionfuneral[.]com
92[.]38[.]177[.]1792[.]38[.]177[.]10153[.]75[.]225[.]1785[.]188[.]124[.]6792[.]38[.]177[.]1692[.]38[.]177[.]37
- Google Analytics:
G-0VL3ZSBXDH - Publisher Placement:
0a913561831bdf2c26dcf18b852b5cc1 - Popunder Key:
c6851a038da578a80eeb201e0588c84c - Developer Email:
main@geeked[.]wtf - Developer Email:
me@geeked[.]wtf - Developer Email:
stefanvangetson54@gmail[.]com
| SHA-256 | Description |
|---|---|
eb4e1394d537d8eba509dd5c57e7aaf4c1df57715c7161330012a11f6202af84 |
assets/73sxysj46r.js |
10ddbbae0070267b8d15888b09a3cdb19fa74d861315b71f21c9ace8b9f85c75 |
assets/script.js |
4b188d179e50e8208a6efec85e273e88d8fc390c836f299ba12915e0840408fd |
Archived HTTP flood payload |