Initially coded to target the sneaker market (Nike SNKRS, Shopify sites, and Supreme), Ratty has since evolved into a multi-purpose scalping tool. Today, it is widely used to purchase:
Use Sysmon (Event ID 19-21) to alert on WMI event consumer creations. Any new permanent WMI subscription should be treated as a red alert. Tools like WMITools from Microsoft can list active bindings: wmic /namespace:\\root\subscription PATH __EventFilter GET . Ratty Bot
Attackers published three malicious packages to the NPM registry (used by millions of JavaScript developers) named url-resolve-ratty , axios-fix-rat , and load-env-rat . These packages contained the Cheese Loader. Developers who downloaded these packages inadvertently introduced Ratty Bot into their CI/CD pipelines, leading to supply chain attacks on three major retail chains. Initially coded to target the sneaker market (Nike