malware npm

express-session-js

discovered 2026-04-02

express-session-js is identified in the SafeDep analysis "Malicious npm Package express-session-js Drops Full RAT Payload". A malicious npm package typosquatting express-session fetches and executes a full Remote Access Trojan from a paste service, targeting browser credentials, crypto wallets, SSH keys, and more.

more…

Threat types

rat credential_stealer crypto_drainer data_exfiltration c2_agent

Malicious versions

1.19.0

Campaigns

No Specific Campaignattributed-to

Indicators

domain jsonkeeper.comcommunicates-with
domain 216.126.237.71communicates-with
ipv4 216.126.237.71communicates-with
ipv4 216.126.229.166communicates-with
ipv4 216.126.227.239communicates-with
sha256 b5cca27ca1d792bd8c46b83fccfa4e5ba38916eb78877a19cbb39392ce98cc39indicates
md5 a36adbc35e69b22acbf9f834a0deb286indicates
email tj@vision-media.caexfiltrates-to

Techniques

ttp T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
ttp T1036 Masqueradinguses
ttp T1552.001 Unsecured Credentials: Credentials In Filesuses
ttp T1041 Exfiltration Over C2 Channeluses
ttp T1552.004 Unsecured Credentials: Private Keysuses
ttp T1539 Steal Web Session Cookieuses
ttp T1105 Ingress Tool Transferuses
ttp T1071.001 Application Layer Protocol: Web Protocolsuses

Read the full analysis →