Hackers Deploy 22 Versions of Malicious npm Package to Steal Cryptocurrency Wallets and Establish Persistent Backdoors
A sophisticated and rapidly evolving malware campaign has been uncovered within the npm ecosystem, targeting developers across multiple operating systems. The malicious package, named `forge-jsxy`, was first published on May 4, 2026, and underwent 22 version updates over 22 days, indicating an aggressive development and deployment strategy.
Background and Evolution of the Attack
The campaign’s origins trace back to an earlier package, `forge-jsx`, which appeared on the npm registry on April 7, 2026. This package remained undetected for nearly a month until npm intervened, replacing it with a security placeholder. Undeterred, the attacker swiftly created a new account under the username `jacksonkaandorp2` and launched `forge-jsxy`, continuing the malicious activities from version 1.0.66.
Security analysts at SafeDep, who specialize in monitoring malicious open-source packages, identified that the same operator was behind both `forge-jsx` and `forge-jsxy`. Their analysis revealed identical command-and-control configurations, encryption schemes, and session credentials across both packages, confirming a continuous and deliberate attack strategy.
Deceptive Tactics and Malware Capabilities
Disguised as a Node.js integration layer for Autodesk Forge—a legitimate software development kit—`forge-jsxy` appeared trustworthy to developers browsing the npm registry. Once installed, the package executed a `postinstall` script that deployed a hidden agent capable of:
– Harvesting keystrokes
– Capturing clipboard content
– Accessing environment files
– Retrieving shell history
– Taking desktop screenshots
Notably, the malware was designed to bypass continuous integration environments to avoid detection during automated builds.
Over a 50-day period encompassing both `forge-jsx` and `forge-jsxy`, the attacker released 88 versions, developing a feature set comparable to commercial spyware. The operator maintained rigorous test coverage throughout, expanding the test suite from 12 to 20 files by the final version—a level of discipline rarely observed in npm supply chain attacks.
Phases of Development and Escalation
The evolution of `forge-jsxy` unfolded in five distinct phases:
1. Initial Deployment (Versions 1.0.66 to 1.0.76): These versions carried the full feature set of `forge-jsx`, including periodic desktop screenshots sent to Discord via rotating bot webhooks.
2. Introduction of Remote File Explorer: A web-based file explorer was added, enabling attackers to remotely browse victims’ file systems.
3. Implementation of WebRTC Data Channels: WebRTC peer-to-peer data channels were integrated, allowing faster data transmission that bypassed the main WebSocket relay.
4. Cryptocurrency Wallet Scanning (May 18): Six versions were released in a single day, introducing a framework that scanned the entire file system for cryptocurrency wallet files, seed phrases, and private keys. Discovered assets were validated cryptographically and stored in a hidden vault that persisted through reboots and package removal.
5. Targeting Browser Extensions and Auto-Upgrade Mechanism (Version 1.0.91): The final phase added capabilities to harvest data from Chromium-based browser extensions across multiple browsers, including Chrome, Edge, Brave, and Opera. This specifically targeted wallet extensions like MetaMask and Phantom. Additionally, an auto-upgrade mechanism was introduced, allowing the relay server to silently push new agent versions to all infected machines on a staggered schedule.
Persistence Mechanisms and Stealth Tactics
One of the most concerning aspects of `forge-jsxy` is its ability to maintain persistence on infected systems, even after the malicious npm package is removed. The malware achieves this by:
– Installing itself as a system service or daemon
– Modifying system startup scripts
– Utilizing scheduled tasks or cron jobs
These techniques ensure that the malicious agent remains active, granting attackers continuous access to compromised systems.
Implications for the Developer Community
This campaign underscores the growing sophistication of supply chain attacks targeting the open-source ecosystem. Developers are urged to exercise heightened vigilance when incorporating third-party packages into their projects. Best practices to mitigate such risks include:
– Verifying Package Authenticity: Cross-reference package information with official sources and maintainers.
– Monitoring for Unusual Activity: Implement tools to detect anomalous behavior during package installation and execution.
– Regularly Updating Dependencies: Keep all dependencies up to date to benefit from security patches and improvements.
– Conducting Security Audits: Periodically review and audit the codebase and its dependencies for potential vulnerabilities.
By adopting these practices, developers can enhance the security posture of their projects and reduce the risk of falling victim to similar supply chain attacks.
