G_Wagon Malware: The Stealthy Threat Lurking in npm Packages
On January 23, 2026, cybersecurity experts uncovered a malicious npm package named `ansi-universal-ui`, masquerading as a legitimate user interface library. This package concealed a sophisticated malware known as G_Wagon, engineered to steal sensitive user data.
Deceptive Facade
The `ansi-universal-ui` package presented itself as a lightweight UI system for modern web applications. However, upon installation, it activated G_Wagon, a multi-stage information stealer. This malware downloaded its own Python runtime and executed obfuscated code to extract browser credentials, cryptocurrency wallet data, cloud service credentials, and messaging tokens. It utilized an embedded Windows DLL, injecting it directly into browser processes via native NT APIs, showcasing advanced technical capabilities. The stolen data was then exfiltrated to Appwrite storage buckets under the attackers’ control.
Infection Mechanism
The infection process was meticulously crafted. Upon installing `ansi-universal-ui`, a post-installation hook automatically triggered the malicious code. The dropper component fetched a Python payload from command and control servers, executed it in memory to avoid writing files to disk, and initiated the data-stealing process. Aikido analysts identified the malware by tracking version iterations and observing the attack’s development across multiple package releases between January 21 and January 23.
Evasion Techniques
G_Wagon’s rapid evolution and sophisticated evasion techniques are particularly concerning. The attackers released ten package versions over two days, continually refining their approach. Early versions included simple placeholder scripts to test the dropper infrastructure. By version 1.3.5, they added legitimate-looking branding with detailed README files describing fictional components like a Virtual Rendering Engine and ThemeProvider.
Subsequent versions enhanced obfuscation. Version 1.4.1 introduced hex-encoded command and control URLs, split into chunks to evade pattern matching. They renamed directories from `python_runtime` to `lib_core/renderer` and changed variable names from `pythonCode` to `_texture_data`, making the code resemble graphics rendering instead of malware. They also switched to piping payloads through stdin rather than creating files, leaving no forensic artifacts on disk for investigators to recover.
This continuous refinement demonstrates an active threat actor learning from their implementation. They fixed bugs within eighteen minutes of discovering issues, moved between different command and control endpoints, and progressively added anti-forensics capabilities, including automatic payload deletion.
Recommendations
Organizations should immediately remove the malicious package versions 1.3.5 through 1.4.1, rotate all stored browser passwords, revoke cryptocurrency wallet extensions, and regenerate cloud provider credentials.
