Multi-wave npm supply chain campaign deploying a cross-platform RAT disguised as Autodesk Forge SDK packages. Uses shared C2 infrastructure at 204.10.194.247 and 212.193.3.61 (same ASN/city, AS206216 Advin Services LLC, Nurnberg DE) across all waves. Wave 1 (forge-jsx, April 2026) provided base RAT capabilities. Wave 2 (forge-jsxy, May 2026) added Discord screenshot exfiltration, Hugging Face uploads, crypto wallet scanning, Chromium extension harvesting, WebRTC P2P, and durable persistence outside node_modules. Wave 3 (forge-jsx4 + pino-zod + zod-pino, June 2026) confirmed identical C2 config and AES key material, introduced C2 IP rotation and simultaneous multi-package operation. Wave 4 (compose-logger-stand + zod-pino434 + zod-pino444 + zredis-typed + pinokio-redis, July 2026) closed the v1.0.126 version gap and introduced the campaign's first AES key rotation while reusing Wave 3's C2 IP; the durable directory string .forge-jsxy and README.md title 'forge-jsx' persist across every rename. The older v1.0.92-v1.0.121 version gap between forge-jsxy and forge-jsx4 remains unresolved and unidentified.
Packages
- npm forge-jsxattributed-to
- npm @johntaohunter/forge-jsxattributed-to
- npm forge-jsxyattributed-to
- npm forge-jsx4attributed-to
- npm pino-zodattributed-to
- npm zod-pinoattributed-to
- npm compose-logger-standattributed-to
- npm zod-pino434attributed-to
- npm zod-pino444attributed-to
- npm zredis-typedattributed-to
- npm pinokio-redisattributed-to
Indicators
- domain 204.10.194.247communicates-with
- ipv4 204.10.194.247communicates-with
- sha256 4cb96c3b033c1aaf7b3d0fe54749058f14d4d914947a6d6d430aca108a7daa5aindicates
- email [email protected]exfiltrates-to
- email [email protected]exfiltrates-to
- url ws://204.10.194.247:9877communicates-with
- url http://204.10.194.247:8765communicates-with
- sha256 4938d47fe6216f8f9fee0527bf5112c04c15a9ea62f87869677619aa5400f09findicates
- sha256 8070daba5d6ca61c357574526d1e0f468ae575a4edf74cc90a8d8b8c78e3aeefindicates
- email [email protected]indicates
- domain taohunter.aicommunicates-with
- file_path ~/.config/systemd/user/forge-js-worker.servicedrops
- file_path ~/.config/autostart/forge-js-worker.desktopdrops
- file_path ~/Library/LaunchAgents/com.forgejs.worker.plistdrops
- sha256 6321dacc21675f81c4cee7db8434ca4cf0e228d3b592bde26a0a40f223dbb00eindicates
- email [email protected]indicates
- ipv4 212.193.3.61communicates-with
- url ws://212.193.3.61:9877communicates-with
- url http://212.193.3.61:8765communicates-with
- sha256 0eb72e0794c7e51ca1d790c443b5f573e1288bad6e6c56d1bd9c4b69a71d65d0indicates
- sha256 1f7616b3c38f85860abd9ae989d72915e9c13f0d106804471a811a38d63e5293indicates
- sha256 0085d5b5d4a2bbb3fd1f38e6b251872d4f753aa8f1ac7f20524c521ff5ca5933indicates
- email [email protected]indicates
- sha256 a99be9fe0e7d66064a11ee096fd8c1a9178e3ee2b761fa8a2bde81bfe846b9a2indicates
- sha256 9e570641fd815e2fd6cf50aaa847c43c2fe938c7b368bf7c239f511827ff9a24indicates
- email [email protected]indicates
- sha256 93817e263f285f20ed213eb07bbab2857493183c0abf9563facfc65fdd4467f7indicates
- sha256 1d4ef70d7856704b373579ae23cba0ebf690ef062b29361f6aa0f51a1cdd9052indicates
- sha256 a1853a45bcb561f96e0e7c0dec7f96e640ae53be62e65158880812ff104c9e41indicates
- sha256 a400b0342add77fd3a58e086334b35e11d79e234b180bb360f48adcd61ec4acdindicates
Techniques
- ttp T1195.001 Compromise Software Dependencies and Development Toolsuses
- ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttp T1552.001 Unsecured Credentials: Credentials In Filesuses
- ttp T1041 Exfiltration Over C2 Channeluses
- ttp T1105 Ingress Tool Transferuses
- ttp T1071.001 Application Layer Protocol: Web Protocolsuses
- ttp T1546 Event Triggered Executionuses
- ttp T1195.002 Compromise Software Supply Chainuses
- ttp T1547.001 Boot or Logon Autostart Execution: Registry Run Keysuses
- ttp T1547.004 Boot or Logon Autostart Execution: Launch Agentuses
- ttp T1543.002 Systemd Serviceuses
- ttp T1056.001 Input Capture: Keylogginguses
- ttp T1115 Clipboard Datauses
- ttp T1113 Screen Captureuses
- ttp T1005 Data from Local Systemuses
- ttp T1567.001 Exfiltration to Code Repositoryuses
- ttp T1027 Obfuscated Files or Informationuses
- ttp T1082 System Information Discoveryuses
- ttp T1217 Browser Information Discoveryuses
- ttp T1020 Automated Exfiltrationuses