malware npm

godsplan

discovered 2026-04-16

godsplan is identified in the SafeDep analysis "ixpresso-core: Windows RAT Disguised as a WhatsApp Agent". ixpresso-core poses as an AI WhatsApp agent on npm but installs Veltrix, a Windows RAT that steals browser credentials, Discord tokens, and keystrokes via a hardcoded Discord webhook.

more…

Threat types

rat credential_stealer data_exfiltration persistence c2_agent

Malicious versions

1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8

Campaigns

fucktestpad npm Malwareattributed-to

Indicators

domain discord.comcommunicates-with
ipv4 0.0.0.0communicates-with
email fucktestpad@opemails.comexfiltrates-to

Techniques

ttp T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
ttp T1552.001 Unsecured Credentials: Credentials In Filesuses
ttp T1041 Exfiltration Over C2 Channeluses
ttp T1528 Steal Application Access Tokenuses
ttp T1539 Steal Web Session Cookieuses
ttp T1105 Ingress Tool Transferuses
ttp T1071.001 Application Layer Protocol: Web Protocolsuses
ttp T1102 Web Serviceuses
ttp T1546 Event Triggered Executionuses

Read the full analysis →