malware npm

@johntaohunter/forge-jsx

discovered 2026-04-15

@johntaohunter/forge-jsx is identified in the SafeDep analysis "forge-jsx npm Package: Purpose-Built Multi-Platform RAT". forge-jsx poses as an Autodesk Forge SDK on npm. On install it deploys a system-wide keylogger, recursive .env file scanner, shell history exfiltrator, and a WebSocket-based remote filesystem backdoor to C2 at 204.10.194.247, with persistence via systemd, LaunchAgent, and Task Scheduler.

more…

Threat types

rat credential_stealer data_exfiltration persistence c2_agent

Malicious versions

1.0.4

Campaigns

forge-jsx RATattributed-to

Indicators

domain 204.10.194.247communicates-with
ipv4 204.10.194.247communicates-with
sha256 4cb96c3b033c1aaf7b3d0fe54749058f14d4d914947a6d6d430aca108a7daa5aindicates
email john@taohunter.aiexfiltrates-to
email johnceballos0716@gmail.comexfiltrates-to

Techniques

ttp T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
ttp T1552.001 Unsecured Credentials: Credentials In Filesuses
ttp T1041 Exfiltration Over C2 Channeluses
ttp T1105 Ingress Tool Transferuses
ttp T1071.001 Application Layer Protocol: Web Protocolsuses
ttp T1546 Event Triggered Executionuses

Read the full analysis →