forge-jsx RAT

discovered 2026-04-15

Multi-wave npm supply chain campaign deploying a cross-platform RAT disguised as Autodesk Forge SDK packages. Uses shared C2 infrastructure at 204.10.194.247 and 212.193.3.61 (same ASN/city, AS206216 Advin Services LLC, Nurnberg DE) across all waves. Wave 1 (forge-jsx, April 2026) provided base RAT capabilities. Wave 2 (forge-jsxy, May 2026) added Discord screenshot exfiltration, Hugging Face uploads, crypto wallet scanning, Chromium extension harvesting, WebRTC P2P, and durable persistence outside node_modules. Wave 3 (forge-jsx4 + pino-zod + zod-pino, June 2026) confirmed identical C2 config and AES key material, introduced C2 IP rotation and simultaneous multi-package operation. Wave 4 (compose-logger-stand + zod-pino434 + zod-pino444 + zredis-typed + pinokio-redis, July 2026) closed the v1.0.126 version gap and introduced the campaign's first AES key rotation while reusing Wave 3's C2 IP; the durable directory string .forge-jsxy and README.md title 'forge-jsx' persist across every rename. The older v1.0.92-v1.0.121 version gap between forge-jsxy and forge-jsx4 remains unresolved and unidentified.

Packages

Indicators

Techniques

Read the full analysis →