malware npm
forge-jsxy
discovered 2026-05-26forge-jsxy is the Wave 2 successor to forge-jsx, published after npm took down the original. It poses as an Autodesk Forge SDK and deploys a full-featured cross-platform RAT with keylogging, .env scanning, shell history exfiltration, Chromium extension LevelDB harvesting across 21+ browsers, cryptocurrency wallet scanning (BIP39/Solana/secp256k1), Discord screenshot exfiltration via bot webhooks, Hugging Face Hub data uploads, WebRTC P2P channels, durable persistence outside node_modules, and relay-pushed auto-upgrades. C2 at 204.10.194.247.
Threat types
rat credential_stealer data_exfiltration persistence c2_agent crypto_drainer
Malicious versions
- 1.0.66 · 8070daba5d6ca61c…
- 1.0.67
- 1.0.68
- 1.0.69
- 1.0.70
- 1.0.71
- 1.0.72
- 1.0.73
- 1.0.74
- 1.0.75
- 1.0.76
- 1.0.77
- 1.0.78
- 1.0.79
- 1.0.80
- 1.0.81
- 1.0.82
- 1.0.83
- 1.0.84
- 1.0.85
- 1.0.86
- 1.0.91 · 4938d47fe6216f8f…
Campaigns
Indicators
- ipv4 204.10.194.247communicates-with
- url ws://204.10.194.247:9877communicates-with
- url http://204.10.194.247:8765communicates-with
- sha256 4938d47fe6216f8f9fee0527bf5112c04c15a9ea62f87869677619aa5400f09findicates
- sha256 8070daba5d6ca61c357574526d1e0f468ae575a4edf74cc90a8d8b8c78e3aeefindicates
- email jacksonkaandorp2@outlook.comindicates
- domain taohunter.aicommunicates-with
- file_path ~/.config/systemd/user/forge-js-worker.servicedrops
- file_path ~/.config/autostart/forge-js-worker.desktopdrops
- file_path ~/Library/LaunchAgents/com.forgejs.worker.plistdrops
Techniques
- ttp T1195.002 Compromise Software Supply Chainuses
- ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttp T1547.001 Boot or Logon Autostart Execution: Registry Run Keysuses
- ttp T1547.004 Boot or Logon Autostart Execution: Launch Agentuses
- ttp T1543.002 Create or Modify System Process: Systemd Serviceuses
- ttp T1056.001 Input Capture: Keylogginguses
- ttp T1115 Clipboard Datauses
- ttp T1113 Screen Captureuses
- ttp T1005 Data from Local Systemuses
- ttp T1567.001 Exfiltration to Code Repositoryuses
- ttp T1071.001 Application Layer Protocol: Web Protocolsuses
- ttp T1027 Obfuscated Files or Informationuses
- ttp T1082 System Information Discoveryuses
- ttp T1217 Browser Information Discoveryuses
- ttp T1552.001 Unsecured Credentials: Credentials In Filesuses
- ttp T1020 Automated Exfiltrationuses
