From Gamifly to AjunaVerse and AlchemyMVP: Parallel Weaponization of a Shared Poker Repository Lineage

“The branches diverged; the payload did not.” Executive Summary This report analyzes two GitHub repositories discovered through follow-on hunting after ThreatProphet’s investigation of the Interexy-branded Gamifly lure: hxxps://github[.]com/LimitBreak-Solutions/AjunaVerse hxxps://github[.]com/AlchemyGlobal/AlchemyMVP The repositories were not directly delivered to the investigator during a recruitment interaction. They were identified by pivoting on Git commits, repository structure, poker-game artifacts, VS Code execution patterns, and malware-loader code preserved in the Gamifly lineage. Both were acquired as forensic Git mirrors on June 9, 2026. ...

June 9, 2026 · ThreatProphet

Interexy-Branded Gamifly Repositories: Evolution of the BetPoker Loader into a Vercel-Gated Node.js Tasking Implant

“The game stayed the same; only the organization name, gate, and dealer address changed.” Executive Summary This report analyzes an Interexy-branded fake developer recruitment operation that delivered a GitHub repository named Gamifly during a remote interview workflow. The engagement began with a LinkedIn job offer, moved to Calendly for interview scheduling, and culminated in a repository link shared during the call. A subsequent GitHub search identified a second repository under a slightly different organization name: ...

June 9, 2026 · ThreatProphet

PawCommerce Developer Task: VS Code Folder-Open Tasks and Git Hooks Deliver Cross-Platform Node.js Stealer

“What was given as work concealed its blade in the hidden hooks.” Executive Summary This report analyzes a PawCommerce-themed developer-task lure delivered during a fake recruitment workflow. The initial contact occurred through LinkedIn, where a recruiter persona using the display name Nathaniel Nicdao asked whether the target would be open to a brief conversation and requested a CV or resume. The LinkedIn profile was later unavailable. A subsequent Google Calendar invitation used the persona Mark Harris <mark.harris.workspace@gmail[.]com>, and the development task was delivered through a OneDrive share displaying the account name Mimori Okamoto. The OneDrive page hosted a ZIP file named pawCommerce.zip. ...

June 3, 2026 · ThreatProphet

Kryptic Haven-Branded Git Challenge: Malicious Hooks Deliver Gurucooldown Payload Chain and Multi-Module JavaScript Backdoor

“They called it a haven; the rebase was the altar, and the hook was the knife.” Executive Summary This report analyzes a Kryptic Haven-branded recruitment lure that began with a LinkedIn message from a recruiter persona named Tatiana Zadorozhnia. The report treats Kryptic Haven as lure branding and low-assurance recruitment infrastructure; it does not establish whether any legitimate company, brand owner, or third-party profile was actor-created, compromised, impersonated, or otherwise misused. The message directed the target to a 24-hour hiring-process link at: ...

May 17, 2026 · ThreatProphet