CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 27, 2026

Hackers Push 22 Versions of npm RAT With Wallet Theft and Persistent Backdoor

Cybersecurity News Archived May 27, 2026 ✓ Full text saved

A malicious npm package called forge-jsxy has been quietly stealing cryptocurrency wallet keys, browser credentials, and sensitive developer data across Windows, macOS, and Linux systems. Published to the npm registry on May 4, 2026, it pushed out 22 versions in 22 days, making it one of the most actively developed pieces of malware seen on […] The post Hackers Push 22 Versions of npm RAT With Wallet Theft and Persistent Backdoor appeared first on Cyber Security News .

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Hackers Push 22 Versions of npm RAT With Wallet Theft and Persistent Backdoor By Tushar Subhra Dutta May 27, 2026 A malicious npm package called forge-jsxy has been quietly stealing cryptocurrency wallet keys, browser credentials, and sensitive developer data across Windows, macOS, and Linux systems. Published to the npm registry on May 4, 2026, it pushed out 22 versions in 22 days, making it one of the most actively developed pieces of malware seen on the platform. The story begins before forge-jsxy existed. Its predecessor, forge-jsx, was published on April 7, 2026, and ran undetected for nearly a month before npm replaced it with a security placeholder. Within hours of that takedown, the attacker created a new account under jacksonkaandorp2 and launched forge-jsxy, picking up exactly where the old package left off at version 1.0.66. Analysts at SafeDep, whose threat intelligence pipeline tracks malicious open source packages in real time, identified and documented the full scope of the campaign.  SafeDep said in a report shared with Cyber Security News (CSN) that the same operator behind forge-jsx was responsible, noting that the command-and-control configuration, encryption scheme, and session credentials were identical across both packages. The malware disguised itself as a Node.js integration layer for Autodesk Forge, a legitimate software development kit, appearing trustworthy to developers browsing the registry. Once installed, a postinstall script deployed a hidden agent that began harvesting keystrokes, clipboard content, environment files, shell history, and desktop screenshots. Continuous integration environments were deliberately skipped to avoid detection during automated builds. Over 50 days of combined activity across both package names, the operator shipped 88 versions and built a feature set that rivals commercial spyware. The attacker maintained test coverage throughout, growing the test suite from 12 files to 20 by the final version, a discipline rarely seen in npm supply chain attacks. Hackers Push 22 Versions of npm RAT The 22 forge-jsxy versions rolled out in five clear development phases. The first phase, covering versions 1.0.66 through 1.0.76, carried the full forge-jsx feature set along with periodic desktop screenshots sent to Discord via rotating bot webhooks. A second phase introduced a web-based file explorer letting attackers remotely browse victim file systems. By mid-May, the operator added WebRTC peer-to-peer data channels, giving the attacker a faster path that bypassed the main WebSocket relay. Then on May 18 alone, six versions dropped in ten hours, delivering a cryptocurrency scanning framework that walked the entire file system looking for wallet files, seed phrases, and private keys. Every find was validated with cryptographic checks before being stored in a hidden vault that persisted through reboots and package removal. The final phase, ending with version 1.0.91 on May 26, added harvesting of Chromium browser extension databases from 21 or more browsers including Chrome, Edge, Brave, and Opera. This targeted wallet extensions like MetaMask and Phantom directly. The same update introduced an auto-upgrade mechanism letting the relay server silently push new agent versions to all infected machines on a staggered schedule. Persistence That Survives Package Removal One of the most dangerous aspects of forge-jsxy is that uninstalling the package does not remove the threat. Starting with version 1.0.81, the malware copied its agent files into a hidden directory outside node_modules, meaning a standard npm uninstall removes the package listing but leaves the agent fully running in the background. On Linux the persistent directory lives at ~/.local/share/cfgmgr/.forge-jsxy/, while macOS and Windows use their own equivalent paths. A matching startup service, either a systemd unit, a LaunchAgent, or a Task Scheduler entry, ensures the agent restarts after every reboot. Developers who installed any version should treat all credentials and wallet keys on that machine as compromised. SafeDep recommends manually deleting the durable agent directory and removing the associated startup service before considering the machine clean. Anyone using browser-based crypto wallets should move funds to new wallets generated on a clean system. Given how quickly the attacker relaunched after the first takedown, another package under a new name should be expected if forge-jsxy is removed from the registry. Indicators of Compromise (IoCs):- Type Indicator Description IP Address 204.10.194.247 C2 server hosted on AS206216 Advin Services LLC, Nürnberg, DE  WebSocket URL ws://204[.]10[.]194[.]247:9877 WebSocket relay port for agent command and control  HTTP URL hxxp://204[.]10[.]194[.]247:8765 HTTP API endpoint for exfiltrated data ingestion  npm Package forge-jsxy v1.0.66–v1.0.91 Malicious npm package (22 versions), maintainer jacksonkaandorp2  npm Package forge-jsx v1.0.0–v1.0.66 Original malicious package, same campaign, taken down May 4, 2026  Email jacksonkaandorp2@outlook.com Email address linked to attacker npm account jacksonkaandorp2  SHA-256 Hash 4938d47fe6216f8f9fee0527bf5112c04c15a9ea62f87869677619aa5400f09f Package artifact hash for forge-jsxy v1.0.91  File Path (Linux) ~/.local/share/cfgmgr/.forge-jsxy/ Durable agent persistence directory on Linux  File Path (macOS) ~/Library/Application Support/CfgMgr/data/.forge-jsxy/ Durable agent persistence directory on macOS  File Path (Windows) %LOCALAPPDATA%\CfgMgr\data.forge-jsxy\ Durable agent persistence directory on Windows  File Path <durable>/.vault/secret-audit/result.json Secret audit vault storing harvested crypto keys  Service Name (Linux) ~/.config/systemd/user/forge-js-worker.service Systemd persistence service for Linux  Service Name (macOS) ~/Library/LaunchAgents/com.forgejs.worker.plist LaunchAgent persistence entry for macOS  Service Name (Windows) Task Scheduler: ForgeJSWorker / HKCU…\Run\ForgeJSWorker Windows Task Scheduler and registry run key persistence  OSV Advisory MAL-2026-3609 Open Source Vulnerability advisory ID for this campaign  Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News PyrsistenceSniper – Tool that Detects 117 Persistence Malware Techniques on Windows, Linux, and macOS Developer-Targeting Glassworm Malware Abuses npm, PyPI, OpenVSX, and GitHub Hackers Use NF-e Invoice Lures to Deliver Banana RAT Through Malicious Batch Files WhatsApp Chat Histories Stored Unencrypted on macOS and iOS CISA Warns of Microsoft Defender 0-Day Vulnerabilities Exploited in Attacks Latest News Cyber Security News Hackers Abuse AI Chatbot Recommendations to Push Malicious Software Download Links Cyber Security Motorola Phones Preinstalled App Found Hijacking Amazon App to Inject Affiliate Codes AI Attackers Can Exploit BadHost to Access Sensitive AI Agent Server Endpoints Android New BTMOB Malware Lets Attackers Remotely Control Android Devices Cyber Security News CISA Warns of LiteSpeed cPanel Plugin Vulnerability Exploited in Attacks
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 27, 2026
    Archived
    May 27, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗