npm Supply Chain Attack: undicy-http Depl Uses Deploy

It also scans for analysis tools like Wireshark, IDA, and Ghidra. To deceive the victim, it displays a fake missing-DLL Windows error dialog even as its payload continues running silently in the background.

The native binary chromelevator.exe goes even further by using direct syscalls that sidestep standard ntdll.dll APIs, bypassing EDR and antivirus hooks at the user-mode level. 

Developers should immediately run npm uninstall undicy-http, end all node and wscript.exe processes, and remove the ScreenLiveClient scheduled task and its registry key.

Delete the VBS files from the temp folder and reinstall all Discord clients to clear injected code. Rotate all passwords, Discord tokens, and session credentials for Roblox, Instagram, Spotify, TikTok, Steam, and Telegram.

Move cryptocurrency to new wallets with fresh seed phrases on a clean machine, and block the C2 address 24[.]152[.]36[.]243 and domain amoboobs[.]com. Re-imaging the system is advised if chromelevator.exe ran, as manual cleanup alone cannot guarantee full system trust.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.