G_Wagon npm Package Steals Browser Attacking Users

Security researchers discovered a dangerous npm package, ansi-universal-ui, on January 23rd, 2026. It masqueraded as a legitimate user interface component library.

The deceptive package description claimed to offer a lightweight UI system for modern web applications.

However, beneath this innocent facade lay G_Wagon, a highly sophisticated multi-stage information stealer designed to harvest sensitive data from victims’ computers.

G_Wagon operates as a complex attack framework that downloads its own Python runtime and executes heavily obfuscated code to extract browser credentials, cryptocurrency wallet data, cloud credentials, and messaging tokens.

The malware uses an embedded Windows DLL injected directly into browser processes through native NT APIs, demonstrating advanced technical capabilities. The stolen information gets exfiltrated to Appwrite storage buckets controlled by the attackers.

The infection process reveals careful planning. When users installed ansi-universal-ui, a postinstall hook triggered the malicious code automatically.

The dropper component fetches a Python payload from command and control servers, pipes it through stdin to avoid writing files to disk, and executes the destructive stealer in memory.

Aikido analysts and researchers identified the malware after observing version iterations and tracking the attack development across multiple package releases between January 21st and January 23rd.

Detection Evasion Through Continuous Evolution

What makes G_Wagon particularly concerning is its rapid evolution and sophisticated evasion techniques. The attackers published ten package versions over two days, progressively refining their approach.

Early versions included a simple placeholder script to test the dropper infrastructure. By version 1.3.5, they added legitimate-looking branding with detailed README files describing fictional components like a “Virtual Rendering Engine” and “ThemeProvider.”

The attackers gradually enhanced obfuscation across later versions. Version 1.4.1 introduced hex-encoded command and control URLs, split into chunks to evade pattern matching.

They renamed directories from python_runtime to lib_core/renderer and changed variable names from pythonCode to _texture_data, making the code resemble graphics rendering instead of malware.

They also switched to piping payloads through stdin rather than creating files, leaving no forensic artifacts on disk for investigators to recover.

This continuous refinement demonstrates an active threat actor learning from their implementation. They fixed bugs within eighteen minutes of discovering issues, moved between different command and control endpoints, and progressively added anti-forensics capabilities including automatic payload deletion.

Organizations should immediately remove the malicious package versions 1.3.5 through 1.4.1, rotate all stored browser passwords, revoke cryptocurrency wallet extensions, and regenerate cloud provider credentials.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.