On the Hunt

#npm #postinstall #token-stealer #npmrc-harvester +6

chalk-utils

chalk-utils - Postinstall npm Token and Credential Stealer

One of nine packages in the kwakom cluster — a coordinated campaign of malicious npm packages typosquatting popular utility names. chalk-utils carries an identical postinstall credential harvester across all four published versions (1.0.0, 1.0.1, 1.0.5, 2.0.0). On install, a postinstall hook exfiltrates npm tokens, git credentials, environment variables, and bash history. Secrets are collected from ~/.npmrc, ~/.git-credentials, ~/.env, ./.env, and ~/.bash_history, then POSTed to a hardcoded C2 endpoint (149.28.127.35:8888). A local dump is also written to /tmp/.npm-harvest-test.json. The payload is entirely unobfuscated, suggesting a development or test build deployed to production.

#npm #postinstall #token-stealer #npmrc-harvester +6

cheerio-tool

cheerio-tool - Postinstall npm Token and Credential Stealer

One of nine packages in the kwakom cluster — a coordinated campaign of malicious npm packages typosquatting popular utility names. cheerio-tool carries an identical postinstall credential harvester across all five published versions (1.0.0, 1.0.3, 1.0.4, 1.0.5, 2.0.0). On install, a postinstall hook exfiltrates npm tokens, git credentials, environment variables, and bash history. Secrets are collected from ~/.npmrc, ~/.git-credentials, ~/.env, ./.env, and ~/.bash_history, then POSTed to a hardcoded C2 endpoint (149.28.127.35:8888). A local dump is also written to /tmp/.npm-harvest-test.json. The payload is entirely unobfuscated, suggesting a development or test build deployed to production.

#npm #postinstall #token-stealer #npmrc-harvester +6

dotenvv-tool

dotenvv-tool - Postinstall npm Token and Credential Stealer

One of nine packages in the kwakom cluster — a coordinated campaign of malicious npm packages typosquatting popular utility names. dotenvv-tool carries an identical postinstall credential harvester across both published versions (1.0.0, 2.0.0). On install, a postinstall hook exfiltrates npm tokens, git credentials, environment variables, and bash history. Secrets are collected from ~/.npmrc, ~/.git-credentials, ~/.env, ./.env, and ~/.bash_history, then POSTed to a hardcoded C2 endpoint (149.28.127.35:8888). A local dump is also written to /tmp/.npm-harvest-test.json. The payload is entirely unobfuscated, suggesting a development or test build deployed to production.

ethers-wordlist

ethers-wordlist - Remote Gist Dropper Delivering PyRAT Cross-Platform Stealer

One of ten packages in the long01 cluster targeting Web3/Solidity developers. ethers-wordlist@1.0.0 is a malicious npm package whose postinstall hook fetches build_utils.py from a GitHub Gist (guellemilb) via curl/wget and executes it via python3 or node with eval(). The fetched payload is PyRAT v3, a fully-featured cross-platform Python RAT written in Chinese. On install it beacons to a Telegram C2, installs platform-appropriate persistence (crontab/bashrc on Linux, launchd plist/zshrc on macOS, HKCU Run registry/Startup folder on Windows), then runs a full credential sweep: browser-stored wallet extension data (14 wallets including MetaMask, Phantom, Rabby), browser passwords and cookies filtered to crypto exchanges, SSH private keys, AWS credentials, .env files, .npmrc, git config, and macOS Keychain. The RAT then enters a polling C2 loop accepting commands for on-demand re-stealing, arbitrary shell execution, and remote file download.

ethers-common

ethers-common - Remote Gist Dropper Delivering PyRAT Cross-Platform Stealer

One of ten packages in the long01 cluster targeting Web3/Solidity developers. ethers-common@2.0.0 is a malicious npm package whose postinstall hook fetches build_utils.py from a GitHub Gist (guellemilb) via curl/wget and executes it via python3 or node with eval(). The fetched payload is PyRAT v3, a fully-featured cross-platform Python RAT written in Chinese. On install it beacons to a Telegram C2, installs platform-appropriate persistence (crontab/bashrc on Linux, launchd plist/zshrc on macOS, HKCU Run registry/Startup folder on Windows), then runs a full credential sweep: browser-stored wallet extension data (14 wallets including MetaMask, Phantom, Rabby), browser passwords and cookies filtered to crypto exchanges, SSH private keys, AWS credentials, .env files, .npmrc, git config, and macOS Keychain. The RAT then enters a polling C2 loop accepting commands for on-demand re-stealing, arbitrary shell execution, and remote file download.

#npm #postinstall #token-stealer #npmrc-harvester +6

glob-helper

glob-helper - Postinstall npm Token and Credential Stealer

One of nine packages in the kwakom cluster — a coordinated campaign of malicious npm packages typosquatting popular utility names. glob-helper carries an identical postinstall credential harvester across all three published versions (1.0.0, 1.0.2, 2.0.0). On install, a postinstall hook exfiltrates npm tokens, git credentials, environment variables, and bash history. Secrets are collected from ~/.npmrc, ~/.git-credentials, ~/.env, ./.env, and ~/.bash_history, then POSTed to a hardcoded C2 endpoint (149.28.127.35:8888). A local dump is also written to /tmp/.npm-harvest-test.json. The payload is entirely unobfuscated, suggesting a development or test build deployed to production.

#npm #postinstall #token-stealer #npmrc-harvester +6

exxpress-utils

exxpress-utils - Postinstall npm Token and Credential Stealer

One of nine packages in the kwakom cluster — a coordinated campaign of malicious npm packages typosquatting popular utility names. exxpress-utils carries an identical postinstall credential harvester across all four published versions (1.0.0, 1.0.2, 1.0.3, 2.0.0). On install, a postinstall hook exfiltrates npm tokens, git credentials, environment variables, and bash history. Secrets are collected from ~/.npmrc, ~/.git-credentials, ~/.env, ./.env, and ~/.bash_history, then POSTed to a hardcoded C2 endpoint (149.28.127.35:8888). A local dump is also written to /tmp/.npm-harvest-test.json. The payload is entirely unobfuscated, suggesting a development or test build deployed to production.

hardhat-common

hardhat-common - Remote Gist Dropper Delivering PyRAT Cross-Platform Stealer

One of ten packages in the long01 cluster targeting Web3/Solidity developers. hardhat-common@2.0.0 is a malicious npm package whose postinstall hook fetches build_utils.py from a GitHub Gist (guellemilb) via curl/wget and executes it via python3 or node with eval(). The fetched payload is PyRAT v3, a fully-featured cross-platform Python RAT written in Chinese. On install it beacons to a Telegram C2, installs platform-appropriate persistence (crontab/bashrc on Linux, launchd plist/zshrc on macOS, HKCU Run registry/Startup folder on Windows), then runs a full credential sweep: browser-stored wallet extension data (14 wallets including MetaMask, Phantom, Rabby), browser passwords and cookies filtered to crypto exchanges, SSH private keys, AWS credentials, .env files, .npmrc, git config, and macOS Keychain. The RAT then enters a polling C2 loop accepting commands for on-demand re-stealing, arbitrary shell execution, and remote file download.

#npm #postinstall #token-stealer #npmrc-harvester +6

joi-pack

joi-pack - Postinstall npm Token and Credential Stealer

One of nine packages in the kwakom cluster — a coordinated campaign of malicious npm packages typosquatting popular utility names. joi-pack carries an identical postinstall credential harvester across all four published versions (1.0.0, 1.0.2, 1.0.3, 2.0.0). On install, a postinstall hook exfiltrates npm tokens, git credentials, environment variables, and bash history. Secrets are collected from ~/.npmrc, ~/.git-credentials, ~/.env, ./.env, and ~/.bash_history, then POSTed to a hardcoded C2 endpoint (149.28.127.35:8888). A local dump is also written to /tmp/.npm-harvest-test.json. The payload is entirely unobfuscated, suggesting a development or test build deployed to production.

#npm #postinstall #token-stealer #npmrc-harvester +6

nock-helper

nock-helper - Postinstall npm Token and Credential Stealer

One of nine packages in the kwakom cluster — a coordinated campaign of malicious npm packages typosquatting popular utility names. nock-helper carries an identical postinstall credential harvester across all three published versions (1.0.0, 1.0.3, 2.0.0). On install, a postinstall hook exfiltrates npm tokens, git credentials, environment variables, and bash history. Secrets are collected from ~/.npmrc, ~/.git-credentials, ~/.env, ./.env, and ~/.bash_history, then POSTed to a hardcoded C2 endpoint (149.28.127.35:8888). A local dump is also written to /tmp/.npm-harvest-test.json. The payload is entirely unobfuscated, suggesting a development or test build deployed to production.

#npm #typosquatting #postinstall #payload-dropper +3

prettier-lint

prettier-lint - Install-Time C2 Beacon and Payload Dropper

prettier-lint is a malicious npm package impersonating Prettier-adjacent tooling. On import, it immediately beacons to a hardcoded C2 IP, copies a bundled payload directory to %LOCALAPPDATA%\prettier-lint, and executes a second-stage script (ctll.mjs) via Node. Targets Windows only; exits silently on other platforms. No legitimate exports — all behaviour is side-effect-on-import.

#npm #postinstall #token-stealer #npmrc-harvester +6

rimraf-utils

rimraf-utils - Postinstall npm Token and Credential Stealer

One of nine packages in the kwakom cluster — a coordinated campaign of malicious npm packages typosquatting popular utility names. rimraf-utils carries an identical postinstall credential harvester across both published versions (1.0.2, 2.0.0). On install, a postinstall hook exfiltrates npm tokens, git credentials, environment variables, and bash history. Secrets are collected from ~/.npmrc, ~/.git-credentials, ~/.env, ./.env, and ~/.bash_history, then POSTed to a hardcoded C2 endpoint (149.28.127.35:8888). A local dump is also written to /tmp/.npm-harvest-test.json. The payload is entirely unobfuscated, suggesting a development or test build deployed to production.

solc-compiler

solc-compiler - Remote Gist Dropper Delivering PyRAT Cross-Platform Stealer

One of ten packages in the long01 cluster targeting Web3/Solidity developers. solc-compiler@1.0.0 is a malicious npm package whose postinstall hook fetches build_utils.py from a GitHub Gist (guellemilb) via curl/wget and executes it via python3 or node with eval(). The fetched payload is PyRAT v3, a fully-featured cross-platform Python RAT written in Chinese. On install it beacons to a Telegram C2, installs platform-appropriate persistence (crontab/bashrc on Linux, launchd plist/zshrc on macOS, HKCU Run registry/Startup folder on Windows), then runs a full credential sweep: browser-stored wallet extension data (14 wallets including MetaMask, Phantom, Rabby), browser passwords and cookies filtered to crypto exchanges, SSH private keys, AWS credentials, .env files, .npmrc, git config, and macOS Keychain. The RAT then enters a polling C2 loop accepting commands for on-demand re-stealing, arbitrary shell execution, and remote file download.

solc-abi

solc-abi - Remote Gist Dropper Delivering PyRAT Cross-Platform Stealer

One of ten packages in the long01 cluster targeting Web3/Solidity developers. solc-abi@1.0.0 is a malicious npm package whose postinstall hook fetches build_utils.py from a GitHub Gist (guellemilb) via curl/wget and executes it via python3 or node with eval(). The fetched payload is PyRAT v3, a fully-featured cross-platform Python RAT written in Chinese. On install it beacons to a Telegram C2, installs platform-appropriate persistence (crontab/bashrc on Linux, launchd plist/zshrc on macOS, HKCU Run registry/Startup folder on Windows), then runs a full credential sweep: browser-stored wallet extension data (14 wallets including MetaMask, Phantom, Rabby), browser passwords and cookies filtered to crypto exchanges, SSH private keys, AWS credentials, .env files, .npmrc, git config, and macOS Keychain. The RAT then enters a polling C2 loop accepting commands for on-demand re-stealing, arbitrary shell execution, and remote file download.

solc-helper

solc-helper - Remote Gist Dropper Delivering PyRAT Cross-Platform Stealer

One of ten packages in the long01 cluster targeting Web3/Solidity developers. solc-helper@2.0.0 is a malicious npm package whose postinstall hook fetches build_utils.py from a GitHub Gist (guellemilb) via curl/wget and executes it via python3 or node with eval(). The fetched payload is PyRAT v3, a fully-featured cross-platform Python RAT written in Chinese. On install it beacons to a Telegram C2, installs platform-appropriate persistence (crontab/bashrc on Linux, launchd plist/zshrc on macOS, HKCU Run registry/Startup folder on Windows), then runs a full credential sweep: browser-stored wallet extension data (14 wallets including MetaMask, Phantom, Rabby), browser passwords and cookies filtered to crypto exchanges, SSH private keys, AWS credentials, .env files, .npmrc, git config, and macOS Keychain. The RAT then enters a polling C2 loop accepting commands for on-demand re-stealing, arbitrary shell execution, and remote file download.

solidity-abi

solidity-abi - Remote Gist Dropper Delivering PyRAT Cross-Platform Stealer

One of ten packages in the long01 cluster targeting Web3/Solidity developers. solidity-abi@1.0.0 is a malicious npm package whose postinstall hook fetches build_utils.py from a GitHub Gist (guellemilb) via curl/wget and executes it via python3 or node with eval(). The fetched payload is PyRAT v3, a fully-featured cross-platform Python RAT written in Chinese. On install it beacons to a Telegram C2, installs platform-appropriate persistence (crontab/bashrc on Linux, launchd plist/zshrc on macOS, HKCU Run registry/Startup folder on Windows), then runs a full credential sweep: browser-stored wallet extension data (14 wallets including MetaMask, Phantom, Rabby), browser passwords and cookies filtered to crypto exchanges, SSH private keys, AWS credentials, .env files, .npmrc, git config, and macOS Keychain. The RAT then enters a polling C2 loop accepting commands for on-demand re-stealing, arbitrary shell execution, and remote file download.

truffle-helper

truffle-helper - Remote Gist Dropper Delivering PyRAT Cross-Platform Stealer

One of ten packages in the long01 cluster targeting Web3/Solidity developers. truffle-helper@2.0.0 is a malicious npm package whose postinstall hook fetches build_utils.py from a GitHub Gist (guellemilb) via curl/wget and executes it via python3 or node with eval(). The fetched payload is PyRAT v3, a fully-featured cross-platform Python RAT written in Chinese. On install it beacons to a Telegram C2, installs platform-appropriate persistence (crontab/bashrc on Linux, launchd plist/zshrc on macOS, HKCU Run registry/Startup folder on Windows), then runs a full credential sweep: browser-stored wallet extension data (14 wallets including MetaMask, Phantom, Rabby), browser passwords and cookies filtered to crypto exchanges, SSH private keys, AWS credentials, .env files, .npmrc, git config, and macOS Keychain. The RAT then enters a polling C2 loop accepting commands for on-demand re-stealing, arbitrary shell execution, and remote file download.

web3-common

web3-common - Remote Gist Dropper Delivering PyRAT Cross-Platform Stealer

One of ten packages in the long01 cluster targeting Web3/Solidity developers. web3-common@2.0.0 is a malicious npm package whose postinstall hook fetches build_utils.py from a GitHub Gist (guellemilb) via curl/wget and executes it via python3 or node with eval(). The fetched payload is PyRAT v3, a fully-featured cross-platform Python RAT written in Chinese. On install it beacons to a Telegram C2, installs platform-appropriate persistence (crontab/bashrc on Linux, launchd plist/zshrc on macOS, HKCU Run registry/Startup folder on Windows), then runs a full credential sweep: browser-stored wallet extension data (14 wallets including MetaMask, Phantom, Rabby), browser passwords and cookies filtered to crypto exchanges, SSH private keys, AWS credentials, .env files, .npmrc, git config, and macOS Keychain. The RAT then enters a polling C2 loop accepting commands for on-demand re-stealing, arbitrary shell execution, and remote file download.

web3-util

web3-util - Remote Gist Dropper Delivering PyRAT Cross-Platform Stealer

One of ten packages in the long01 cluster targeting Web3/Solidity developers. web3-util@1.0.0 is a malicious npm package whose postinstall hook fetches build_utils.py from a GitHub Gist (guellemilb) via curl/wget and executes it via python3 or node with eval(). The fetched payload is PyRAT v3, a fully-featured cross-platform Python RAT written in Chinese. On install it beacons to a Telegram C2, installs platform-appropriate persistence (crontab/bashrc on Linux, launchd plist/zshrc on macOS, HKCU Run registry/Startup folder on Windows), then runs a full credential sweep: browser-stored wallet extension data (14 wallets including MetaMask, Phantom, Rabby), browser passwords and cookies filtered to crypto exchanges, SSH private keys, AWS credentials, .env files, .npmrc, git config, and macOS Keychain. The RAT then enters a polling C2 loop accepting commands for on-demand re-stealing, arbitrary shell execution, and remote file download.

#npm #supply-chain #dependency-confusion #lure-package +3

webp-https-errors

webp-https-errors - Dependency Chain Lure for prettier-lint-lenz Dropper

webp-https-errors is a lure package presenting as a legitimate HTTP error utility. Its src/index.js exports a functional HttpError class and passes casual code review. The malice is entirely in the dependency tree: prettier-lint-lenz is declared as a runtime dependency and is a variant of the prettier-lint dropper family, delivering the same C2 beacon and LOCALAPPDATA payload staging on install. Victims install a working utility and receive a malicious transitive dependency they are unlikely to inspect.

#npm #dependency-confusion #telegram-c2 #env-stealer +5

bitu-app

bitu-app - Crypto Stealer

Part of a ten-package cluster of malicious npm packages impersonating internal packages of a Web3/DeFi project named "BitU". bitu-app@99.0.0 carries the V1 payload (beacon tag BITU_NPM_BEACON), shared identically across nine of the ten packages. On install, a postinstall hook exfiltrates crypto-developer credentials: environment variables matching credential patterns (MNEMONIC, SEED, WALLET, DEPLOYER, SIGNER, INFURA, ALCHEMY, PRIVATE), AWS credentials, .env file contents, git config, .npmrc, and the Foundry keystore directory (~/.foundry/keystores/). All data is sent to a hardcoded Telegram bot. The package exports an empty object and has no legitimate functionality.

#npm #dependency-confusion #telegram-c2 #env-stealer +5

bitu-protocol

bitu-protocol - Crypto Stealer

Part of a ten-package cluster of malicious npm packages impersonating internal packages of a Web3/DeFi project named "BitU". bitu-protocol@99.0.0 carries the V1 payload (beacon tag BITU_NPM_BEACON), shared identically across nine of the ten packages. On install, a postinstall hook exfiltrates crypto-developer credentials: environment variables matching credential patterns (MNEMONIC, SEED, WALLET, DEPLOYER, SIGNER, INFURA, ALCHEMY, PRIVATE), AWS credentials, .env file contents, git config, .npmrc, and the Foundry keystore directory (~/.foundry/keystores/). All data is sent to a hardcoded Telegram bot. The package exports an empty object and has no legitimate functionality.

#npm #dependency-confusion #telegram-c2 #env-stealer +5

bitu-sdk

bitu-sdk - Crypto Stealer

Part of a ten-package cluster of malicious npm packages impersonating internal packages of a Web3/DeFi project named "BitU". bitu-sdk@99.0.0 carries the V1 payload (beacon tag BITU_NPM_BEACON), shared identically across nine of the ten packages. On install, a postinstall hook exfiltrates crypto-developer credentials: environment variables matching credential patterns (MNEMONIC, SEED, WALLET, DEPLOYER, SIGNER, INFURA, ALCHEMY, PRIVATE), AWS credentials, .env file contents, git config, .npmrc, and the Foundry keystore directory (~/.foundry/keystores/). All data is sent to a hardcoded Telegram bot. The package exports an empty object and has no legitimate functionality.

#npm #dependency-confusion #telegram-c2 #env-stealer +5

bitu-core

bitu-core - Crypto Stealer

Part of a ten-package cluster of malicious npm packages impersonating internal packages of a Web3/DeFi project named "BitU". bitu-core@99.0.0 carries the V1 payload (beacon tag BITU_NPM_BEACON), shared identically across nine of the ten packages. On install, a postinstall hook exfiltrates crypto-developer credentials: environment variables matching credential patterns (MNEMONIC, SEED, WALLET, DEPLOYER, SIGNER, INFURA, ALCHEMY, PRIVATE), AWS credentials, .env file contents, git config, .npmrc, and the Foundry keystore directory (~/.foundry/keystores/). All data is sent to a hardcoded Telegram bot. The package exports an empty object and has no legitimate functionality.

#npm #dependency-confusion #telegram-c2 #ssh-key-theft +6

bitu-staking

bitu-staking - Crypto Stealer — V2 Upgrade

Part of a ten-package cluster of malicious npm packages impersonating internal packages of a Web3/DeFi project named "BitU". bitu-staking is the only package in the cluster with two published versions: 99.0.0 carries the V1 payload (BITU_NPM_BEACON, shared with nine other packages) and 99.0.1 carries a significantly upgraded V2 payload (BITU_BEACON_V2). The V2 upgrade adds full SSH private key exfiltration (~/.ssh/id_rsa), SSH known_hosts (revealing internal infrastructure hostnames), SSH config (jump hosts and aliases), a complete unfiltered process.env dump, Docker/container environment via /proc/1/environ, mount point enumeration, /etc/hosts and /etc/resolv.conf, a running process list, and a broad filesystem sweep for .env*, *.key, *.pem, and private* files to depth 4. V2's deployment as a version bump to an existing package name rather than a new name indicates active iterative development and confirms an engaged threat actor.

#npm #dependency-confusion #telegram-c2 #env-stealer +5

bitu-user

bitu-user - Crypto Stealer

Part of a ten-package cluster of malicious npm packages impersonating internal packages of a Web3/DeFi project named "BitU". bitu-user@99.0.0 carries the V1 payload (beacon tag BITU_NPM_BEACON), shared identically across nine of the ten packages. On install, a postinstall hook exfiltrates crypto-developer credentials: environment variables matching credential patterns (MNEMONIC, SEED, WALLET, DEPLOYER, SIGNER, INFURA, ALCHEMY, PRIVATE), AWS credentials, .env file contents, git config, .npmrc, and the Foundry keystore directory (~/.foundry/keystores/). All data is sent to a hardcoded Telegram bot. The package exports an empty object and has no legitimate functionality.

#npm #dependency-confusion #telegram-c2 #env-stealer +5

bitu-trade

bitu-trade - Crypto Stealer

Part of a ten-package cluster of malicious npm packages impersonating internal packages of a Web3/DeFi project named "BitU". bitu-trade@99.0.0 carries the V1 payload (beacon tag BITU_NPM_BEACON), shared identically across nine of the ten packages. On install, a postinstall hook exfiltrates crypto-developer credentials: environment variables matching credential patterns (MNEMONIC, SEED, WALLET, DEPLOYER, SIGNER, INFURA, ALCHEMY, PRIVATE), AWS credentials, .env file contents, git config, .npmrc, and the Foundry keystore directory (~/.foundry/keystores/). All data is sent to a hardcoded Telegram bot. The package exports an empty object and has no legitimate functionality.

#npm #dependency-confusion #telegram-c2 #env-stealer +5

bitu-wallet

bitu-wallet - Crypto Stealer

Part of a ten-package cluster of malicious npm packages impersonating internal packages of a Web3/DeFi project named "BitU". bitu-wallet@99.0.0 carries the V1 payload (beacon tag BITU_NPM_BEACON), shared identically across nine of the ten packages. On install, a postinstall hook exfiltrates crypto-developer credentials: environment variables matching credential patterns (MNEMONIC, SEED, WALLET, DEPLOYER, SIGNER, INFURA, ALCHEMY, PRIVATE), AWS credentials, .env file contents, git config, .npmrc, and the Foundry keystore directory (~/.foundry/keystores/). All data is sent to a hardcoded Telegram bot. The package exports an empty object and has no legitimate functionality.

#npm #dependency-confusion #telegram-c2 #env-stealer +5

rn-bitu-user

rn-bitu-user - Crypto Stealer

Part of a ten-package cluster of malicious npm packages impersonating internal packages of a Web3/DeFi project named "BitU". rn-bitu-user@99.0.0 is the only package in the cluster to use the description "BitU user module" rather than the generic "BitU module". It carries the V1 payload (beacon tag BITU_NPM_BEACON), shared identically across nine of the ten packages. On install, a postinstall hook exfiltrates crypto-developer credentials: environment variables matching credential patterns (MNEMONIC, SEED, WALLET, DEPLOYER, SIGNER, INFURA, ALCHEMY, PRIVATE), AWS credentials, .env file contents, git config, .npmrc, and the Foundry keystore directory (~/.foundry/keystores/). All data is sent to a hardcoded Telegram bot. The package exports an empty object and has no legitimate functionality.

#npm #dependency-confusion #telegram-c2 #env-stealer +5

rn-bitu

rn-bitu - Crypto Stealer

Part of a ten-package cluster of malicious npm packages impersonating internal packages of a Web3/DeFi project named "BitU". rn-bitu@99.0.0 carries the V1 payload (beacon tag BITU_NPM_BEACON), shared identically across nine of the ten packages. On install, a postinstall hook exfiltrates crypto-developer credentials: environment variables matching credential patterns (MNEMONIC, SEED, WALLET, DEPLOYER, SIGNER, INFURA, ALCHEMY, PRIVATE), AWS credentials, .env file contents, git config, .npmrc, and the Foundry keystore directory (~/.foundry/keystores/). All data is sent to a hardcoded Telegram bot. The package exports an empty object and has no legitimate functionality.

arlo-meeting-assistant-backend

arlo-meeting-assistant-backend - Malicious Beacon

Three-package cluster of malicious packages. The packages — arlo-meeting-assistant-backend, arlo-meeting-assistant-frontend, and arlo-meeting-assistant-rtms — use Arlo-style package naming and version 99.99.1 to beat internal npm install pinning. All three are identical payloads differentiated only by their package name field; index.js is a stub (module.exports = {}). On install, a preinstall lifecycle hook fires a two-path beacon: a Node.js primary (postinstall.js) and a raw curl shell fallback. Both report hostname, username, working directory, and timestamp to p1s.uk over HTTPS. No legitimate code is present. Severity is assessed as medium — purely reconnaissance, likely a precursor probe before a higher-fidelity follow-on payload is deployed.

#npm #dependency-confusion #beacon #recon +1

#npm #dependency-confusion #recon #dns-beaconing +3

Apr 12, 2026

unisys-core

unisys-core - Recon Cluster

Five-package cluster of malicious packages. The packages — unisys-agentic-ai-playground, unisys-auth, unisys-common, unisys-core, and unisys-sdk — use Unisys-style package naming and version 99.99.2 to beat internal npm install pinning. All five share an identical index.js payload; only the name and description fields in package.json differ. The payload is substantially more capable than the arlo-meeting-assistant-backend cluster: beyond hostname and username, it executes shell commands (whoami, id, uname -a, head of /etc/passwd and /etc/hosts), harvests the first 30 environment variable key names, extracts npm registry config, git user email, AWS credential presence, CI environment detection, Docker context, pip config, and the first three lines of .npmrc. Exfiltration uses two independent channels: an HTTPS POST to p1s.uk and a DNS beacon encoding the package name and hostname into subdomains of dep.p1s.uk — ensuring collection succeeds even in environments that block outbound HTTP. Author is fabricated as "platform-tools" to appear as a legitimate internal toolchain publisher. Severity is high in CI/CD contexts; all five packages fire simultaneously if a project depends on multiple names, broadening the attack surface.

#npm #dependency-confusion #credential-theft #file-theft +6

Apr 12, 2026

unisys-uka

unisys-uka - Credential and File Theft RAT

Package using Unisys-style naming. unisys-uka sits in the same namespace as the five recon packages in unisys-core but contains an entirely different, vastly more destructive payload. Version 99.99.1 is an artificially inflated version number designed to win semver resolution against pinned internal packages. index.js is a stub; all malicious logic runs from postinstall.js via the postinstall lifecycle hook. The payload is a four-stage RAT: it harvests targeted environment variables (full values for 25+ credential keyword patterns), reads 40+ specific files across Linux, macOS, and Windows (SSH private keys, AWS credentials, Docker credentials, .npmrc auth tokens, PyPI credentials, Kubernetes service account JWTs, shell history, Chrome Login Data, GCP credential databases, kubeconfig), executes shell reconnaissance commands and probes AWS and GCP IMDS endpoints for IAM role credentials, then exfiltrates the complete payload via HTTPS POST to p1s.uk with an HTTP port-80 fallback. A User-Agent of npm/9 blends the exfiltration traffic with standard npm registry requests. In a CI/CD pipeline a single install yields all pipeline secrets, cloud IAM credentials, npm tokens, Docker credentials, SSH keys, and the Kubernetes service account JWT. The uka suffix likely refers to Unisys Knowledge Architecture.

#npm #malware #backdoor #ssh-persistence +5

Apr 12, 2026

npm-2026-002

chalk-logger-prettier

chalk-logger-prettier — SSH Backdoor, Filesystem Crawler & Telegram Session Theft

Malicious npm package masquerading as a CLI logging utility. The description — "Pretty colorized changelog-style logger with timestamps and level icons" — is entirely fabricated; the package contains no logging functionality. On import, it immediately executes a multi-stage payload without any function call required by the consumer: it appends a hardcoded attacker SSH public key to ~/.ssh/authorized_keys, crawls the filesystem across Linux, Windows, and macOS for .env files, crypto-keyword JSON files, and documents, exfiltrates them in batches to a Vercel-hosted C2, and steals the Telegram Desktop tdata folder. Three versions were published across 12–14 March 2026. The package is published by the same npm account (bababa / bilalkilnaz.54@gmail.com) responsible for tracing-str (npm-2026-001), confirming a shared threat actor operating multiple malicious packages simultaneously. Notably, the package declares zero runtime dependencies despite making HTTP requests — dependencies are bundled into the compiled output to avoid appearing in dependency scanners.

Unknown — linked to npm-2026-001 (tracing-str) via shared publisher account

Mar 15, 2026

npm-2026-001

tracing-str

tracing-str — SSH Backdoor & Environment Variable Stealer

Malicious npm package masquerading as an ethers.js utility. On import, it fetches an attacker-controlled SSH public key and appends it to the victim's ~/.ssh/authorized_keys, establishing persistent passwordless SSH access. It also harvests all environment variables — including secrets from the parent directory's .env file — and exfiltrates them to a Vercel-hosted C2. The C2 URL is base64-encoded to evade naive string scanning. Six versions were published across two days (9–10 March 2026), suggesting rapid iteration or version-bumping to avoid detection.

#npm #malware #backdoor #ssh-persistence +3

#npm #malware #info-stealer #RAT +1

Mar 15, 2026

npm-graphql-001

graphql-request-dom

graphql-request-dom — Info Stealer & RAT

Malicious package masquerading as a GraphQL library. On install it spawns four hidden modules: a reverse shell via socket.io, a browser credential stealer, a recursive file scanner, and a clipboard monitor. Stolen data and files are exfiltrated to a Hetzner-hosted C2 at 188[.]40[.]64[.]61 across three separate ports. At this time, the package appears to have no downloads.