ridgeline-transfer-exfil — MFT exploit → mass exfil
Ridgeline Benefits Administration — internet-facing RidgeTransfer 4.x SQLi foothold, humanlook.aspx dwell, svc-ridgetransfer bulk download (~412k objects), egress burst, synthetic leak-site post. Fully synthetic.
synthetic reference
inspired by — not a copy of — the progress moveit transfer / cl0p incidents of 2023. ridgeline benefits administration is a fictional organization. all evidence, ips, hashes, file names, and employee identifiers are synthetic and deterministically generated from a public seed. educational reference only. not affiliated with progress software.
what this proves
- every primary engine produces deterministic, fixture-locked output — verified by
npm run check:flagship(4/4). - every output is generated 100% locally in your browser — no upload, no server-side processing of your evidence.
- the full case binder is built from these outputs without uploading a single byte — click below to generate it locally.
primary engines locked to this fixture
build the case binder
one click runs all eight primary engines on the synthetic evidence, assembles findings into a self-contained html binder, and opens it in a new tab. print to pdf from there — still zero upload.
runs all 8 primary engines locally on the synthetic evidence zip · opens a self-contained html binder · no upload
download the synthetic evidence
MIT-licensed, fully synthetic, safe to attach to a PR or send to a reviewer. compare your local runs against the published goldens.
built deterministically from scripts/fixtures/build-ridgeline-transfer-exfil.mjs. seed: ridgeline-transfer-exfil:v1.
methodology
deployed-product supply-chain incidents start at the internet edge — not in your build pipeline. scope the MFT/web tier first: IIS exploit noise, web shell placement, service-account abuse on legitimate download paths, then egress volume and double-extortion artifacts. contrast with helix-supply-chain-compromise (CI poison). read the full supply chain compromise guide →
after the playbook
run each primary locally — or export findings from the binder — then drop every csv/json into fatcousin-multi-tool-super-timeline-correlator. one timestamp-sorted timeline across SQLi foothold, web shell dwell, bulk transfer activity, firewall egress, and leak-site posts — still zero upload.