malware npm

noon-contracts

discovered 2026-05-10

noon-contracts is identified in the SafeDep analysis "noon-contracts npm Package: DeFi Supply Chain RAT". noon-contracts poses as a Noon Protocol SDK on npm. On install it exfiltrates SSH keys, crypto wallet private keys, AWS credentials (including live STS/S3/SecretsManager calls), Kubernetes secrets, .env files, shell history, and browser wallet paths to C2 at 82.221.101.203:8443. A full eval-based remote shell polls every 45 seconds. Triple persistence via crontab, macOS LaunchAgent, Linux systemd, and shell RC injection.

more…

Threat types

credential_stealer data_exfiltration rat persistence c2_agent crypto_drainer

Malicious versions

1.0.0

Campaigns

No Specific Campaignattributed-to

Indicators

domain 82.221.101.203communicates-with
ipv4 82.221.101.203communicates-with
sha256 263df2348f54f1f4980542a41f69d77b085fb28091a95979ba7f0e9f3d0da861indicates
email noondeved94ed@wshu.netexfiltrates-to

Techniques

ttp T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
ttp T1552.001 Unsecured Credentials: Credentials In Filesuses
ttp T1041 Exfiltration Over C2 Channeluses
ttp T1552.004 Unsecured Credentials: Private Keysuses
ttp T1528 Steal Application Access Tokenuses
ttp T1105 Ingress Tool Transferuses
ttp T1071.001 Application Layer Protocol: Web Protocolsuses
ttp T1546 Event Triggered Executionuses

Read the full analysis →