Two URLs found in the exploit: https://checkmarx.zone/raw https://models.litellm.cloud/

these links trigger prefetch in chrome (doesn't respect nofollow rel).

I got popped by our security team, they were convinced I had this malware because my machine attempted to connect to the checkmarx domain.

clearly a false positive but I still had to roll credentials and wipe my machine.