forge-jsxy: 22 Versions of an Actively Developed npm RAT

TL;DR

forge-jsxy is a malicious npm package that continued the forge-jsx RAT campaign after npm took down the original. Published under a new maintainer account (jacksonkaandorp2), it shipped 22 versions between May 4 and May 26, 2026, picking up the exact version number where forge-jsx left off (v1.0.66). Over those 22 days, the operator added cryptocurrency wallet scanning with BIP39 mnemonic validation, Chromium browser extension database theft across 21+ browsers, WebRTC peer-to-peer data channels, durable persistence outside node_modules, and relay-pushed auto-upgrades. All stolen data flows to the same C2 at 204.10.194.247 and to attacker-controlled Hugging Face repositories.

Impact:

• All capabilities from forge-jsx retained: keylogging, clipboard monitoring, .env scanning, shell history exfiltration, host inventory, remote filesystem access
• Periodic desktop screenshots exfiltrated via Discord bot webhooks
• Cryptocurrency wallet files scanned across entire filesystem: BIP39 mnemonics validated via checksum, Solana keypairs verified with tweetnacl, secp256k1 private keys range-checked
• Chromium extension LevelDB databases (wallet extensions) harvested from 21+ browsers and uploaded to Hugging Face
• Agent copies itself outside node_modules to survive npm uninstall
• Relay server can push agent version upgrades to infected machines

Indicators of Compromise (IoC):

Analysis

Continuity from forge-jsx

npm replaced forge-jsx with a security placeholder (0.0.1-security) on May 4, 2026. The last version published under that name was v1.0.66. Within hours, forge-jsxy appeared under a different maintainer account, starting at v1.0.66:

The version counter, the package.json description (“Node.js integration layer for Autodesk Forge”), the keywords (cfgmgr, forge-db, sync, websocket, relay), and the AES-256-GCM encrypted C2 config are identical. The only structural change: forge-jsxy uses its own durable directory name (.forge-jsxy instead of .forge-jsx). Same operator, new throwaway npm account.

Across both package names, the campaign spans 88 versions from April 7 to May 26: 50 days of active development on a malicious RAT published to npm.

Version Evolution

The 22 forge-jsxy versions cluster into five development phases, each adding new offensive capabilities.

Phase 1: Base RAT (v1.0.66–v1.0.76, May 4–6)

The first 11 versions carry the full forge-jsx feature set. The postinstall hook runs four scripts in sequence:

1
// package.json (v1.0.66)
2
"postinstall": "node scripts/postinstall-clipboard-event.mjs && node scripts/ensure-dist.mjs && node scripts/postinstall-bootstrap.mjs && node scripts/postinstall-agent.mjs"

CI environments are detected and skipped. On developer machines, the agent deploys with keylogging (uiohook-napi), clipboard monitoring (@napi-rs/clipboard), .env file scanning, shell history collection, host inventory, and a WebSocket filesystem backdoor. Persistence uses systemd, LaunchAgent, or Task Scheduler depending on platform.

The C2 configuration is encrypted identically to forge-jsx:

1
exports.DEPLOYMENT_KEY_A = new Uint8Array([135, 49, 199, 76, 166, 214, 58, 202, 152, 59, 1, 155, 171, 88, 86, 12]);
2
exports.DEPLOYMENT_MASK_A = new Uint8Array([186, 248, 100, 81, 174, 76, 90, 98, 101, 206, 50, 3, 55, 72, 41, 252]);
3
// XOR reconstruction: KEY_A[i] ^ MASK_A[i], KEY_B[i] ^ MASK_B[i] = AES-256-GCM key
4
// Decrypts to: { "publicHost": "204.10.194.247", "relayPort": 9877, "apiPort": 8765, "defaultExplorerPassword": "secret" }

One capability absent from the original forge-jsx analysis: periodic desktop screenshots. The agent captures the full screen using jimp, then uploads via Discord bot webhooks. The relay distributes short-lived webhook URLs to each agent, deletes them after upload, and shards agents across multiple bot tokens using FNV-1a hashing to spread Discord rate limits:

1
function discordClientIdFnv1a32(clientId) {
2
  let h = 2166136261 >>> 0;
3
  const s = String(clientId || '');
4
  for (let i = 0; i < s.length; i++) {
5
    h ^= s.charCodeAt(i);
6
    h = Math.imul(h, 16777619) >>> 0;
7
  }
8
  return h >>> 0;
9
}

Stolen files and data are uploaded to attacker-controlled Hugging Face repositories via the @huggingface/hub SDK. The HF credentials are AES-256-GCM encrypted with the same key material as the C2 config. Each victim gets a per-client repo (namespace/client_<seq_id>), and uploads go under exports/<timestamp>_<rand>/ paths.

Phase 2: Explorer Improvements (v1.0.77, May 13)

After a week-long gap, v1.0.77 added picomatch as a dependency and shipped two new files: explorerHeavyDirSkips.js (to skip large directories like node_modules during filesystem scans) and a bundled highlight.min.js for syntax highlighting in the web-based file explorer. The remote viewer interface was getting a UI polish pass.

Phase 3: WebRTC P2P Data Channel (v1.0.79–v1.0.80, May 14–15)

node-datachannel appeared as an optional dependency. Two new modules (forgeBulkDc.js, forgeRtcAgent.js) implemented WebRTC peer-to-peer data channels between agent and viewer. The framing protocol uses chunked binary SCTP messages with a v2 header format:

1
exports.FORGE_BULK_VERSION = 2;
2
exports.FORGE_BULK_V2_CHUNK_PAYLOAD_BYTES = 56 * 1024;
3
// Large fs_read/fs_zip/fs_screenshot payloads sent as header + chunked binary
4
// Avoids single-message size limits on SCTP data channels

The WebRTC path supplements the WebSocket relay, providing direct low-latency access when both agent and viewer can establish a peer connection. ICE candidates use stun:stun.l.google.com:19302 by default. The agent routes small JSON responses over the data channel while falling back to WebSocket for large payloads exceeding 32 KB.

Phase 4: Crypto Wallet Theft and Durable Persistence (v1.0.81–v1.0.85, May 18)

Four versions landed on May 18 alone. This was the largest single-day capability jump. Two new dependencies appeared: @scure/bip39 (BIP39 mnemonic word validation) and tweetnacl (Ed25519 for Solana keypair verification).

An entire secretScan/ directory (14 files) implements a filesystem-wide scanner for cryptocurrency private keys. The scanner walks every mounted volume (POSIX / or all Windows drive letters), matching files against a bundled pattern list:

1
// assets/secret_filename_patterns.json (excerpt)
2
{
3
  "include_patterns": [
4
    "wallet.json",
5
    "wallet.dat",
6
    "id.json",
7
    "keypair.json",
8
    "*.key",
9
    "*.wallet",
10
    "*.mnemonic",
11
    "*.seed",
12
    "*private*",
13
    "*secret*",
14
    "*keypair*",
15
    "*wallet*.json"
16
  ],
17
  "include_dirs": [".keys", ".secrets", ".solana", ".ethereum", ".bitcoin", ".web3", ".keystore", ".config/solana"]
18
}

Matches pass through content-level validation. The scanner looks for hex-encoded 32-byte values, BIP32 extended private keys, WIF-format private keys, env-style KEY=value patterns, and JSON secret fields. Each hit goes through a strict gate: BIP39 mnemonics must pass checksum validation, Solana keypairs must verify seed-to-public-key derivation via tweetnacl, and secp256k1 scalars must fall within the valid curve order range:

1
const SECP256K1_N = BigInt('0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141');
2
function isValidSecp256k1PrivateKeyHex(h) {
3
  const s = h.trim();
4
  if (!/^[0-9a-fA-F]{64}$/.test(s)) return false;
5
  const k = BigInt(`0x${s}`);
6
  return k >= 1n && k < SECP256K1_N;
7
}

1
function isConsistentSolanaStyleSigningSecretKey64(buf) {
2
  if (buf.length !== 64) return false;
3
  const seed = buf.subarray(0, 32);
4
  const claimedPub = buf.subarray(32, 64);
5
  const kp = nacl.sign.keyPair.fromSeed(seed);
6
  return timingSafeEqual(Buffer.from(kp.publicKey), Buffer.from(claimedPub));
7
}

Validated findings are deduplicated by cryptographic fingerprint and merged into a persistent vault at <CfgMgr data>/.forge-jsxy/.vault/secret-audit/result.json. The vault survives agent restarts, WebSocket reconnects, and OS reboots. Found secrets are uploaded to the attacker’s Hugging Face repo under agents/<hostname>/result.json.

The same release batch introduced durable persistence: postinstall-durable-materialize.mjs copies the agent’s dist/ directory into a hidden platform-specific location outside node_modules. The postinstall chain gained a new step:

1
// package.json (v1.0.81+)
2
"postinstall": "node scripts/postinstall-clipboard-event.mjs && node scripts/ensure-dist.mjs && node scripts/postinstall-durable-materialize.mjs && node scripts/postinstall-bootstrap.mjs && node scripts/postinstall-agent.mjs"

The autostart service points to this durable copy, so running npm uninstall forge-jsxy removes the package from node_modules but leaves the agent binary and persistence mechanism intact.

Phase 5: Browser Extension Theft and Auto-Upgrade (v1.0.90–v1.0.91, May 18–26)

The latest versions added chromiumExtensionDbHarvest.js, which discovers Chromium-family browser profiles across 21+ browsers and copies extension LevelDB databases to a staging directory:

1
// dist/chromiumExtensionDbHarvest.js (excerpt)
2
const localPairs = [
3
  ['Google Chrome', path.join(local, 'Google', 'Chrome', 'User Data')],
4
  ['Microsoft Edge', path.join(local, 'Microsoft', 'Edge', 'User Data')],
5
  ['Brave', path.join(local, 'BraveSoftware', 'Brave-Browser', 'User Data')],
6
  ['Vivaldi', path.join(local, 'Vivaldi', 'User Data')],
7
  ['Opera', path.join(local, 'Opera Software', 'Opera Stable')],
8
  ['Opera GX', path.join(local, 'Opera Software', 'Opera GX Stable')],
9
  // ... 15+ more browsers including Yandex, Epic, Iridium, Thorium, Cent, Slimjet, 360Chrome, Coc Coc, Wavebox
10
];

The selection gate is precise: an extension folder is included only when it contains at least one .db file (the LevelDB signal for wallet extensions like MetaMask, Phantom, or Rabby). When triggered, the entire extension directory tree is copied, not just the database files. extensionDbHfUpload.js uploads the staged data to Hugging Face.

v1.0.91 also introduced relayAgentAutoUpgrade.js: the relay server advertises a recommended_agent_version, and agents whose version falls behind will self-upgrade. The upgrade is staggered by client ID hash to prevent all agents from hitting the registry at once, with a 6-hour cooldown between upgrade attempts:

1
const MIN_INTERVAL_MS = 6 * 60 * 60 * 1000;
2
// Stagger: hash(clientId) % 30min window

This turns every infected machine into a managed endpoint the attacker can update at will.

Development Cadence

The version timeline reveals a disciplined release pattern:

The May 18 burst stands out. Six versions in a single day, delivering a complete secret scanning framework, cryptographic validation for three blockchain key formats, durable persistence, and browser extension harvesting. The operator had clearly built these features offline and pushed them in rapid succession.

The test suite also tracks the feature curve. v1.0.66 shipped 12 test files. By v1.0.91, the suite had grown to 20, adding tests for the bulk protocol, webhook posting, secret filename scanning, audit scan scope, audit throttling, Chromium extension harvesting, and desktop input sync. The attacker maintained test coverage as they expanded capabilities.

Attribution and Threat Actor Profile

jacksonkaandorp2 has published only forge-jsxy. The @outlook.com email follows the same pattern as the forge-jsx accounts: disposable webmail addresses with realistic-sounding names. The shared C2 infrastructure (204.10.194.247), shared encryption scheme (identical XOR-obfuscated AES key split), shared session password (secret), and continuous version numbering confirm the same operator across all three packages.

No confirmed link to any named threat group exists. The C2 IP 204.10.194.247 does not appear in any public threat intelligence feed. It is hosted on AS206216 (Advin Services LLC), a US-based VPS provider with German points of presence. The IP sits in the 204.10.194.0/24 block in Nürnberg. Advin is a commercial hosting provider, not a known bulletproof host, though Scamalytics rates it at 36/100 fraud risk.

The operator constructed a cover identity around taohunter.ai, a GoDaddy-hosted domain with Google Workspace MX records presenting as “Tao Hunter,” an AI company. No real business presence exists behind it. The npm accounts use realistic Western names (johnceballos0716, johntaohunter, jacksonkaandorp2) with mainstream email providers, a more deliberate identity strategy than the randomized handles common in other npm malware campaigns.

Comparison with DPRK npm Campaigns

A DPRK-attributed campaign centered on terminal-logger-utils (reported May 2026, threat actor alias jpeek895) shares several technical capabilities with forge-jsx/forge-jsxy: keylogging, clipboard monitoring, crypto wallet theft, screenshot capture, and Hugging Face Hub abuse for data exfiltration. Both skip CI environments and establish multi-platform persistence.

The similarities end at the technique level. The differences in operational style argue against a common origin:

• Infrastructure. forge-jsx uses a dedicated VPS IP; DPRK campaigns favor cloud platforms (Vercel, onrender, GitHub release artifacts) that blend with developer traffic.
• Account naming. forge-jsx uses realistic Western names; DPRK campaigns use randomized handles (jpeek895, pvnd3540749).
• Code quality. forge-jsx ships TypeScript with a 20-file test suite and structured JSDoc comments. DPRK npm malware typically uses obfuscated JavaScript, SEA binaries, or compiled Rust/NAPI-RS payloads.
• Encryption. forge-jsx uses a bespoke XOR-obfuscated AES-256-GCM key split for C2 config. DPRK campaigns use Obfuscator.io, paste services, or GitHub-hosted release artifacts.
• Social engineering. DPRK campaigns (Contagious Interview, PromptMink) pair malicious packages with fake recruiters and job interviews. forge-jsx relies purely on typosquatting the Autodesk Forge SDK brand.
• Multi-language toolchain. Code comments reference a Python counterpart (cfgmgr, table_naming.py, FastAPI backend) with port 9876 reserved for the Python relay. No tracked DPRK campaign has shown this pattern.

The Hugging Face exfiltration overlap is notable, but technique convergence is expected as multiple actors independently discover that HF traffic blends with legitimate ML development workflows. SafeDep’s Reaper threat intelligence pipeline found no overlapping IOCs with any tracked campaign (Glassworm, TeamPCP, LofyGang, PromptMink, or the axios supply chain compromise).

Infrastructure

The C2 at 204.10.194.247 runs two services: a WebSocket relay on port 9877 and an HTTP API on port 8765. The relay handles bidirectional agent control, credential delivery (HF tokens), feature flag distribution, and auto-upgrade coordination. The HTTP API receives exfiltrated data (keystrokes, clipboard, .env contents, shell history, host inventory).

Exfiltration uses three channels, each serving a different data type:

1. HTTP API (hxxp://204[.]10[.]194[.]247:8765): keystrokes, clipboard, .env files, shell history, host inventory. High-frequency, low-volume.
2. Discord webhooks: screenshots. The relay distributes short-lived webhook URLs from a pool of Discord bot tokens, deleting each webhook after a single upload. Rate limits are distributed across bots via FNV-1a hashing of the client ID.
3. Hugging Face Hub: bulk data. Browser extension databases, secret audit results, and filesystem exports are uploaded to private repos under namespace/client_<seq_id>. HF credentials are encrypted with the same AES key as the C2 config and can be fetched from the relay on demand.

Impact

50 days of active operation with 88 package versions across three package names. The most recent version (v1.0.91) was published May 26, 2026. The operator is still active.

On any machine that installed any version:

• All keystrokes captured. Every password typed in every application, system-wide, via native OS keyboard hooks.
• All .env files and shell history exfiltrated. API keys, database credentials, cloud provider secrets.
• Cryptocurrency keys at risk. Starting v1.0.81, the scanner walks the entire filesystem with cryptographic validation: BIP39 mnemonics (checksum-verified), Solana keypairs (Ed25519 seed-to-pubkey verified), and secp256k1 private keys (scalar range checked). The precision of validation enables automated wallet draining.
• Browser wallet extensions compromised. Starting v1.0.91, LevelDB databases from Chromium wallet extensions (MetaMask, Phantom, Rabby, etc.) across 21+ browsers are copied and uploaded. These databases can contain encrypted private keys whose encryption keys derive from the user’s browser password, which the keylogger may have already captured.
• Persistence survives package removal. The durable agent directory lives outside node_modules. Running npm uninstall forge-jsxy removes the package but leaves the agent running. The relay can push version upgrades to all infected machines without any action from the victim.

Given the pattern of rapid reconstitution after the forge-jsx takedown (new account, new package name, same day), another package name is likely if forge-jsxy is removed.

Conclusion

forge-jsxy is not an isolated payload dropped and abandoned. It is an actively maintained offensive tool, developed iteratively on npm with the same discipline you would expect from a legitimate software project: versioned releases, test suites, feature branches, and CI-aware deployment. Over 22 versions, the operator added crypto wallet theft with real cryptographic validation, browser extension database harvesting across 21+ browsers, WebRTC P2P channels, durable persistence that survives package removal, and relay-pushed auto-upgrades.

Developers who installed any version of forge-jsxy should treat all credentials, crypto wallet keys, and browser extension data on the affected machine as compromised. Removing the npm package is insufficient: check for and remove the durable agent directory (~/.local/share/cfgmgr/.forge-jsxy/ on Linux), the systemd service, and the LaunchAgent or Task Scheduler entry. Rotate all secrets found in .env files and shell history. If you use browser-based crypto wallets, move funds to new wallets generated on a clean machine.

The full campaign (88 versions across forge-jsx and forge-jsxy over 50 days) demonstrates that malicious npm packages are not always smash-and-grab credential stealers. Some operators treat them as long-running software projects, adding features incrementally based on what data they can extract from infected machines.

Appendix: All Known Malicious Versions

The table below lists all 73 malicious versions published across forge-jsx, @johntaohunter/forge-jsx, and forge-jsxy between April 7 and May 26, 2026.