malware npm
cjs-biginteger
discovered 2026-04-09cjs-biginteger is identified in the SafeDep analysis "big.js Typosquat Campaign Implants SSH Backdoors". Three waves of big.js typosquats (sjs-biginteger, bjs-biginteger, cjs-biginteger) from throwaway npm accounts implant SSH backdoors and exfiltrate credentials to Cloudflare-disguised C2 infrastructure.
Threat types
credential_stealer data_exfiltration rat persistence c2_agent typosquat
Malicious versions
- 1.0.0
Campaigns
Indicators
- domain cloudflareinsights.vercel.appcommunicates-with
- domain cloudflarefirewall.vercel.appcommunicates-with
- sha256 55bee3abfa26a78989baae1053a778d3b4a984d5451621a851211a45fe2a82b9indicates
- sha256 02a00a158ceedaaf7a4bf53002a74d60339d4668d463831fe218905816b72e07indicates
- sha256 9d2037fc0ad9ada672d30e17a9496cbde392c5093a9fde0b8f16d28e2e0c50c7indicates
- sha256 7bff4518f4d49ddf3d04d8167a6f5f17aed9b3703290f65cf71c61ea61f0a7bcindicates
- sha256 aa36d4bee44ee1d35af0e211e8cca957044c782b177787b1181d18d6d6323037indicates
- sha256 f4914c528cf92a7e97ac3b24138afb86b4cd9db6960d92ffbbff36a1fb90ead9indicates
- sha256 fc095d3e6a613e27d267d80b448101ef78b02ec07dd3993c734202839015fb54indicates
- sha256 86f60a2196c3d1355efdcfee41f1549c30c6081bf6c106d11e44a64691f8ebd3indicates
- email vanes.s.p.orit.a@googlemail.comexfiltrates-to
- email support@polymarket.comexfiltrates-to
Techniques
- ttp T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
- ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttp T1036 Masqueradinguses
- ttp T1552.001 Unsecured Credentials: Credentials In Filesuses
- ttp T1041 Exfiltration Over C2 Channeluses
- ttp T1552.004 Unsecured Credentials: Private Keysuses
- ttp T1105 Ingress Tool Transferuses
- ttp T1071.001 Application Layer Protocol: Web Protocolsuses
- ttp T1546 Event Triggered Executionuses
- ttp T1027 Obfuscated Files or Informationuses
