Hackers Push 22 Versions of npm RAT With Wallet Theft and Persistent Backdoor
Cybersecurity NewsArchived May 27, 2026✓ Full text saved
A malicious npm package called forge-jsxy has been quietly stealing cryptocurrency wallet keys, browser credentials, and sensitive developer data across Windows, macOS, and Linux systems. Published to the npm registry on May 4, 2026, it pushed out 22 versions in 22 days, making it one of the most actively developed pieces of malware seen on […] The post Hackers Push 22 Versions of npm RAT With Wallet Theft and Persistent Backdoor appeared first on Cyber Security News .
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Hackers Push 22 Versions of npm RAT With Wallet Theft and Persistent Backdoor
By Tushar Subhra Dutta
May 27, 2026
A malicious npm package called forge-jsxy has been quietly stealing cryptocurrency wallet keys, browser credentials, and sensitive developer data across Windows, macOS, and Linux systems.
Published to the npm registry on May 4, 2026, it pushed out 22 versions in 22 days, making it one of the most actively developed pieces of malware seen on the platform.
The story begins before forge-jsxy existed. Its predecessor, forge-jsx, was published on April 7, 2026, and ran undetected for nearly a month before npm replaced it with a security placeholder.
Within hours of that takedown, the attacker created a new account under jacksonkaandorp2 and launched forge-jsxy, picking up exactly where the old package left off at version 1.0.66.
Analysts at SafeDep, whose threat intelligence pipeline tracks malicious open source packages in real time, identified and documented the full scope of the campaign.
SafeDep said in a report shared with Cyber Security News (CSN) that the same operator behind forge-jsx was responsible, noting that the command-and-control configuration, encryption scheme, and session credentials were identical across both packages.
The malware disguised itself as a Node.js integration layer for Autodesk Forge, a legitimate software development kit, appearing trustworthy to developers browsing the registry.
Once installed, a postinstall script deployed a hidden agent that began harvesting keystrokes, clipboard content, environment files, shell history, and desktop screenshots. Continuous integration environments were deliberately skipped to avoid detection during automated builds.
Over 50 days of combined activity across both package names, the operator shipped 88 versions and built a feature set that rivals commercial spyware.
The attacker maintained test coverage throughout, growing the test suite from 12 files to 20 by the final version, a discipline rarely seen in npm supply chain attacks.
Hackers Push 22 Versions of npm RAT
The 22 forge-jsxy versions rolled out in five clear development phases. The first phase, covering versions 1.0.66 through 1.0.76, carried the full forge-jsx feature set along with periodic desktop screenshots sent to Discord via rotating bot webhooks.
A second phase introduced a web-based file explorer letting attackers remotely browse victim file systems. By mid-May, the operator added WebRTC peer-to-peer data channels, giving the attacker a faster path that bypassed the main WebSocket relay.
Then on May 18 alone, six versions dropped in ten hours, delivering a cryptocurrency scanning framework that walked the entire file system looking for wallet files, seed phrases, and private keys.
Every find was validated with cryptographic checks before being stored in a hidden vault that persisted through reboots and package removal.
The final phase, ending with version 1.0.91 on May 26, added harvesting of Chromium browser extension databases from 21 or more browsers including Chrome, Edge, Brave, and Opera.
This targeted wallet extensions like MetaMask and Phantom directly. The same update introduced an auto-upgrade mechanism letting the relay server silently push new agent versions to all infected machines on a staggered schedule.
Persistence That Survives Package Removal
One of the most dangerous aspects of forge-jsxy is that uninstalling the package does not remove the threat. Starting with version 1.0.81, the malware copied its agent files into a hidden directory outside node_modules, meaning a standard npm uninstall removes the package listing but leaves the agent fully running in the background.
On Linux the persistent directory lives at ~/.local/share/cfgmgr/.forge-jsxy/, while macOS and Windows use their own equivalent paths.
A matching startup service, either a systemd unit, a LaunchAgent, or a Task Scheduler entry, ensures the agent restarts after every reboot. Developers who installed any version should treat all credentials and wallet keys on that machine as compromised.
SafeDep recommends manually deleting the durable agent directory and removing the associated startup service before considering the machine clean.
Anyone using browser-based crypto wallets should move funds to new wallets generated on a clean system. Given how quickly the attacker relaunched after the first takedown, another package under a new name should be expected if forge-jsxy is removed from the registry.
Indicators of Compromise (IoCs):-
Type Indicator Description
IP Address 204.10.194.247 C2 server hosted on AS206216 Advin Services LLC, Nürnberg, DE
WebSocket URL ws://204[.]10[.]194[.]247:9877 WebSocket relay port for agent command and control
HTTP URL hxxp://204[.]10[.]194[.]247:8765 HTTP API endpoint for exfiltrated data ingestion
npm Package forge-jsxy v1.0.66–v1.0.91 Malicious npm package (22 versions), maintainer jacksonkaandorp2
npm Package forge-jsx v1.0.0–v1.0.66 Original malicious package, same campaign, taken down May 4, 2026
Email jacksonkaandorp2@outlook.com Email address linked to attacker npm account jacksonkaandorp2
SHA-256 Hash 4938d47fe6216f8f9fee0527bf5112c04c15a9ea62f87869677619aa5400f09f Package artifact hash for forge-jsxy v1.0.91
File Path (Linux) ~/.local/share/cfgmgr/.forge-jsxy/ Durable agent persistence directory on Linux
File Path (macOS) ~/Library/Application Support/CfgMgr/data/.forge-jsxy/ Durable agent persistence directory on macOS
File Path (Windows) %LOCALAPPDATA%\CfgMgr\data.forge-jsxy\ Durable agent persistence directory on Windows
File Path <durable>/.vault/secret-audit/result.json Secret audit vault storing harvested crypto keys
Service Name (Linux) ~/.config/systemd/user/forge-js-worker.service Systemd persistence service for Linux
Service Name (macOS) ~/Library/LaunchAgents/com.forgejs.worker.plist LaunchAgent persistence entry for macOS
Service Name (Windows) Task Scheduler: ForgeJSWorker / HKCU…\Run\ForgeJSWorker Windows Task Scheduler and registry run key persistence
OSV Advisory MAL-2026-3609 Open Source Vulnerability advisory ID for this campaign
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Tushar Subhra Dutta
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.
Trending News
PyrsistenceSniper – Tool that Detects 117 Persistence Malware Techniques on Windows, Linux, and macOS
Developer-Targeting Glassworm Malware Abuses npm, PyPI, OpenVSX, and GitHub
Hackers Use NF-e Invoice Lures to Deliver Banana RAT Through Malicious Batch Files
WhatsApp Chat Histories Stored Unencrypted on macOS and iOS
CISA Warns of Microsoft Defender 0-Day Vulnerabilities Exploited in Attacks
Latest News
Cyber Security News
Hackers Abuse AI Chatbot Recommendations to Push Malicious Software Download Links
Cyber Security
Motorola Phones Preinstalled App Found Hijacking Amazon App to Inject Affiliate Codes
AI
Attackers Can Exploit BadHost to Access Sensitive AI Agent Server Endpoints
Android
New BTMOB Malware Lets Attackers Remotely Control Android Devices
Cyber Security News
CISA Warns of LiteSpeed cPanel Plugin Vulnerability Exploited in Attacks