Hackers Push 22 Versions of npm RAT With Wallet Theft and

A malicious <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/11146061/563f1e0b-bd9c-478a-b1c1-dcdc8a293dab/Hackers-

Published to the npm registry on May 4, 2026, it pushed out 22 versions in 22 days, making it one of the most actively developed pieces of malware seen on the platform.

The story begins before forge-jsxy existed. Its predecessor, forge-jsx, was published on April 7, 2026, and ran undetected for nearly a month before npm replaced it with a security placeholder.

Within hours of that takedown, the attacker created a new account under jacksonkaandorp2 and launched forge-jsxy, picking up exactly where the old package left off at version 1.0.66.

Analysts at SafeDep, whose threat intelligence pipeline tracks malicious open source packages in real time, identified and documented the full scope of the campaign. 

SafeDep said in a report shared with Cyber Security News (CSN) that the same operator behind forge-jsx was responsible, noting that the command-and-control configuration, encryption scheme, and session credentials were identical across both packages.

The malware disguised itself as a Node.js integration layer for Autodesk Forge, a legitimate software development kit, appearing trustworthy to developers browsing the registry.

Once installed, a postinstall script deployed a hidden agent that began harvesting keystrokes, clipboard content, environment files, shell history, and desktop screenshots. Continuous integration environments were deliberately skipped to avoid detection during automated builds.

Over 50 days of combined activity across both package names, the operator shipped 88 versions and built a feature set that rivals commercial spyware.

The attacker maintained test coverage throughout, growing the test suite from 12 files to 20 by the final version, a discipline rarely seen in npm supply chain attacks.

Hackers Push 22 Versions of npm RAT

The 22 forge-jsxy versions rolled out in five clear development phases. The first phase, covering versions 1.0.66 through 1.0.76, carried the full forge-jsx feature set along with periodic desktop screenshots sent to Discord via rotating bot webhooks.

A second phase introduced a web-based file explorer letting attackers remotely browse victim file systems. By mid-May, the operator added WebRTC peer-to-peer data channels, giving the attacker a faster path that bypassed the main WebSocket relay.

Then on May 18 alone, six versions dropped in ten hours, delivering a cryptocurrency scanning framework that walked the entire file system looking for wallet files, seed phrases, and private keys.

Every find was validated with cryptographic checks before being stored in a hidden vault that persisted through reboots and package removal.

The final phase, ending with version 1.0.91 on May 26, added harvesting of Chromium browser extension databases from 21 or more browsers including Chrome, Edge, Brave, and Opera.

This targeted wallet extensions like MetaMask and Phantom directly. The same update introduced an auto-upgrade mechanism letting the relay server silently push new agent versions to all infected machines on a staggered schedule.

Persistence That Survives Package Removal

One of the most dangerous aspects of forge-jsxy is that uninstalling the package does not remove the threat. Starting with version 1.0.81, the malware copied its agent files into a hidden directory outside node_modules, meaning a standard npm uninstall removes the package listing but leaves the agent fully running in the background.

On Linux the persistent directory lives at ~/.local/share/cfgmgr/.forge-jsxy/, while macOS and Windows use their own equivalent paths.

A matching startup service, either a systemd unit, a LaunchAgent, or a Task Scheduler entry, ensures the agent restarts after every reboot. Developers who installed any version should treat all credentials and wallet keys on that machine as compromised.

SafeDep recommends manually deleting the durable agent directory and removing the associated startup service before considering the machine clean.

Anyone using browser-based crypto wallets should move funds to new wallets generated on a clean system. Given how quickly the attacker relaunched after the first takedown, another package under a new name should be expected if forge-jsxy is removed from the registry.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.