Skip to content

Add OSV reports for forge-jsx RAT campaign Wave 4 (npm: zredis-typed, pinokio-redis)#1349

Merged
elitsa-gosst merged 1 commit into
ossf:mainfrom
KunalSin9h:report-forge-jsx-rat-wave4
Jul 13, 2026
Merged

Add OSV reports for forge-jsx RAT campaign Wave 4 (npm: zredis-typed, pinokio-redis)#1349
elitsa-gosst merged 1 commit into
ossf:mainfrom
KunalSin9h:report-forge-jsx-rat-wave4

Conversation

@KunalSin9h

Copy link
Copy Markdown
Contributor

Summary

Reports 2 malicious npm packageszredis-typed v1.0.127 and pinokio-redis v1.0.127 — published by npm account donimique (donimiqueakers@gmail.com). Both are part of the multi-wave forge-jsx cross-platform RAT campaign (Wave 4), disguised as Autodesk Forge SDK packages.

The sibling Wave 4 packages zod-pino434 (MAL-2026-6794) and zod-pino444 (MAL-2026-6795) are already in OSV via Amazon Inspector, so they are intentionally not duplicated here.

Behavior

Both packages carry an identical postinstall agent chain that runs at install time:

  • Spawns dist/cli-agent.js as a detached, window-hidden process.
  • Connects over WebSocket to C2 212.193.3.61 (relay :9877, HTTP API :8765, default password secret), whose config is an AES-256-GCM blob decrypted at runtime via an XOR-reconstructed key.
  • Installs OS-level persistence (Windows Run key / macOS LaunchAgent / Linux systemd + XDG autostart, service forge-js-worker) under a hidden .forge-jsxy durable directory that survives npm uninstall.
  • Steals crypto material (BIP39 mnemonics, secp256k1/WIF keys, BIP32 xprv/tprv/zprv), harvests Chromium/Edge/Brave/Vivaldi/Yandex/Opera extension LevelDB stores (MetaMask/Phantom-shaped wallets), and exfiltrates to the Hugging Face Hub (embedded hf_ token) and Discord channels.

Campaign linkage

This is the first wave to ship rotated AES key material (DEPLOYMENT_KEY_A/KEY_B/MASK_A/MASK_B, hex 12335cede9edad1edbce89fd3ef0836c8edd3778e48f3f38f2330198ec8b1eb0), byte-identical across the four donimique-account packages — a single shared build. C2 212.193.3.61 (AS206216, Advin Services LLC, Nürnberg DE) is reused from the Wave 3 pino-zod/zod-pino rotation. Durable fingerprints independent of package name: the hardcoded .forge-jsxy directory, the dist/deploymentCipherData.js + dist/deploymentDefaults.js XOR-key routine, and a bundled README.md literally titled # forge-jsx.

Package Version(s) C2
zredis-typed 1.0.127 (only version; all malicious) 212.193.3.61
pinokio-redis 1.0.127 (only version; all malicious) 212.193.3.61

IOCs

  • C2: 212.193.3.61 (ports 9877, 8765)
  • zredis-typed v1.0.127 — SHA-256 a1853a45bcb561f96e0e7c0dec7f96e640ae53be62e65158880812ff104c9e41
  • pinokio-redis v1.0.127 — SHA-256 a400b0342add77fd3a58e086334b35e11d79e234b180bb360f48adcd61ec4acd

Full campaign analysis: https://safedep.io/malicious-forge-jsxy-npm-rat-evolution/

zredis-typed v1.0.127 and pinokio-redis v1.0.127, published by npm account
'donimique' (donimiqueakers@gmail.com), are part of the multi-wave forge-jsx
cross-platform RAT campaign. Both ship a postinstall agent that installs OS
persistence under a hidden .forge-jsxy directory and connects to C2
212.193.3.61 (ports 9877/8765) to perform crypto-wallet/secret theft, Chromium
extension DB harvesting, and Hugging Face / Discord exfiltration. This wave
uses rotated AES key material shared byte-identically across the donimique
account's packages.

The sibling packages zod-pino434 and zod-pino444 are already in OSV
(MAL-2026-6794 / MAL-2026-6795, Amazon Inspector).

Signed-off-by: Kunal Singh <kunalsin9h@gmail.com>
@elitsa-gosst elitsa-gosst merged commit 5793b66 into ossf:main Jul 13, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants