{"campaign":{"name":"forge-jsx RAT","slug":"forge-jsx-rat","href":"/ti/campaigns/forge-jsx-rat","description":"Multi-wave npm supply chain campaign deploying a cross-platform RAT disguised as Autodesk Forge SDK packages. Uses shared C2 infrastructure at 204.10.194.247 across waves. Wave 1 (forge-jsx, April 2026) provided base RAT capabilities. Wave 2 (forge-jsxy, May 2026) added Discord screenshot exfiltration, Hugging Face uploads, crypto wallet scanning, Chromium extension harvesting, WebRTC P2P, and durable persistence outside node_modules.","aliases":[],"discovered_at":"2026-04-15"},"packages":[{"ecosystem":"npm","name":"forge-jsx","href":"/ti/packages/npm/forge-jsx","threat_types":["rat","credential_stealer","data_exfiltration","persistence","c2_agent"],"versions":["1.0.0","1.0.1","1.0.2","1.0.3","1.0.4","1.0.5","1.0.6","1.0.7","1.0.8","1.0.9","1.0.10","1.0.11","1.0.12","1.0.13","1.0.14","1.0.15","1.0.16","1.0.17","1.0.18","1.0.19","1.0.20","1.0.21","1.0.22","1.0.23","1.0.24","1.0.25","1.0.26","1.0.27","1.0.28","1.0.29","1.0.30","1.0.31","1.0.32","1.0.33","1.0.34","1.0.35","1.0.36","1.0.37","1.0.38","1.0.39","1.0.40","1.0.41","1.0.42","1.0.43","1.0.44","1.0.45","1.0.46","1.0.47","1.0.48","1.0.49","1.0.50","1.0.51","1.0.52","1.0.53","1.0.54","1.0.55","1.0.56","1.0.57","1.0.58","1.0.59","1.0.60","1.0.61","1.0.62","1.0.63","1.0.64","1.0.65","1.0.66"]},{"ecosystem":"npm","name":"@johntaohunter/forge-jsx","href":"/ti/packages/npm/@johntaohunter/forge-jsx","threat_types":["rat","credential_stealer","data_exfiltration","persistence","c2_agent"],"versions":["1.0.4"]},{"ecosystem":"npm","name":"forge-jsxy","href":"/ti/packages/npm/forge-jsxy","threat_types":["rat","credential_stealer","data_exfiltration","persistence","c2_agent","crypto_drainer"],"versions":["1.0.66","1.0.67","1.0.68","1.0.69","1.0.70","1.0.71","1.0.72","1.0.73","1.0.74","1.0.75","1.0.76","1.0.77","1.0.78","1.0.79","1.0.80","1.0.81","1.0.82","1.0.83","1.0.84","1.0.85","1.0.86","1.0.91"]}],"indicators":[{"kind":"domain","value":"204.10.194.247","href":"/ti/ioc/domain/204.10.194.247","context":"Network indicator from blog post"},{"kind":"ipv4","value":"204.10.194.247","href":"/ti/ioc/ipv4/204.10.194.247","context":"C2 server (AS206216 Advin Services LLC, Nurnberg DE). WebSocket relay on port 9877, HTTP API on port 8765. Shared across all forge-jsx/forge-jsxy waves."},{"kind":"sha256","value":"4cb96c3b033c1aaf7b3d0fe54749058f14d4d914947a6d6d430aca108a7daa5a","href":"/ti/ioc/sha256/4cb96c3b033c1aaf7b3d0fe54749058f14d4d914947a6d6d430aca108a7daa5a","context":"SHA-256 of forge-jsx (Wave 1)"},{"kind":"email","value":"john@taohunter.ai","href":"/ti/ioc/email/john@taohunter.ai","context":"npm account email for johntaohunter, publisher of @johntaohunter/forge-jsx"},{"kind":"email","value":"johnceballos0716@gmail.com","href":"/ti/ioc/email/johnceballos0716@gmail.com","context":"npm account email for johnceballos0716, publisher of forge-jsx (Wave 1)"},{"kind":"url","value":"ws://204.10.194.247:9877","href":"/ti/ioc/url/url-253b2bf9df4b","context":"WebSocket C2 relay endpoint for forge-jsx RAT campaign"},{"kind":"url","value":"http://204.10.194.247:8765","href":"/ti/ioc/url/url-cb4c7a0deb59","context":"HTTP API endpoint for forge-jsx RAT campaign"},{"kind":"sha256","value":"4938d47fe6216f8f9fee0527bf5112c04c15a9ea62f87869677619aa5400f09f","href":"/ti/ioc/sha256/4938d47fe6216f8f9fee0527bf5112c04c15a9ea62f87869677619aa5400f09f","context":"SHA-256 of forge-jsxy v1.0.91 (latest Wave 2 version)"},{"kind":"sha256","value":"8070daba5d6ca61c357574526d1e0f468ae575a4edf74cc90a8d8b8c78e3aeef","href":"/ti/ioc/sha256/8070daba5d6ca61c357574526d1e0f468ae575a4edf74cc90a8d8b8c78e3aeef","context":"SHA-256 of forge-jsxy v1.0.66 (first Wave 2 version)"},{"kind":"email","value":"jacksonkaandorp2@outlook.com","href":"/ti/ioc/email/jacksonkaandorp2@outlook.com","context":"npm account email for jacksonkaandorp2, publisher of forge-jsxy (Wave 2)"},{"kind":"domain","value":"taohunter.ai","href":"/ti/ioc/domain/taohunter.ai","context":"Domain associated with johntaohunter npm account (Wave 1)"},{"kind":"file_path","value":"~/.config/systemd/user/forge-js-worker.service","href":"/ti/ioc/file_path/file_path-1cbc96dac65a","context":"Linux systemd persistence for forge-jsx RAT"},{"kind":"file_path","value":"~/.config/autostart/forge-js-worker.desktop","href":"/ti/ioc/file_path/file_path-6146aef02482","context":"Linux XDG autostart persistence for forge-jsx RAT"},{"kind":"file_path","value":"~/Library/LaunchAgents/com.forgejs.worker.plist","href":"/ti/ioc/file_path/file_path-e8d302abc731","context":"macOS LaunchAgent persistence for forge-jsx RAT"}],"ttps":[{"name":"Supply Chain Compromise: Compromise Software Dependencies and Development Tools","mitre_attack_id":"T1195.001","href":"/ti/ttps/T1195.001"},{"name":"Command and Scripting Interpreter: JavaScript","mitre_attack_id":"T1059.007","href":"/ti/ttps/T1059.007"},{"name":"Unsecured Credentials: Credentials In Files","mitre_attack_id":"T1552.001","href":"/ti/ttps/T1552.001"},{"name":"Exfiltration Over C2 Channel","mitre_attack_id":"T1041","href":"/ti/ttps/T1041"},{"name":"Ingress Tool Transfer","mitre_attack_id":"T1105","href":"/ti/ttps/T1105"},{"name":"Application Layer Protocol: Web Protocols","mitre_attack_id":"T1071.001","href":"/ti/ttps/T1071.001"},{"name":"Event Triggered Execution","mitre_attack_id":"T1546","href":"/ti/ttps/T1546"},{"name":"Supply Chain Compromise: Compromise Software Supply Chain","mitre_attack_id":"T1195.002","href":"/ti/ttps/T1195.002"},{"name":"Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder","mitre_attack_id":"T1547.001","href":"/ti/ttps/T1547.001"},{"name":"Boot or Logon Autostart Execution: Launch Agent","mitre_attack_id":"T1547.004","href":"/ti/ttps/T1547.004"},{"name":"Create or Modify System Process: Systemd Service","mitre_attack_id":"T1543.002","href":"/ti/ttps/T1543.002"},{"name":"Input Capture: Keylogging","mitre_attack_id":"T1056.001","href":"/ti/ttps/T1056.001"},{"name":"Clipboard Data","mitre_attack_id":"T1115","href":"/ti/ttps/T1115"},{"name":"Screen Capture","mitre_attack_id":"T1113","href":"/ti/ttps/T1113"},{"name":"Data from Local System","mitre_attack_id":"T1005","href":"/ti/ttps/T1005"},{"name":"Exfiltration Over Web Service: Exfiltration to Code Repository","mitre_attack_id":"T1567.001","href":"/ti/ttps/T1567.001"},{"name":"Obfuscated Files or Information","mitre_attack_id":"T1027","href":"/ti/ttps/T1027"},{"name":"System Information Discovery","mitre_attack_id":"T1082","href":"/ti/ttps/T1082"},{"name":"Browser Information Discovery","mitre_attack_id":"T1217","href":"/ti/ttps/T1217"},{"name":"Automated Exfiltration","mitre_attack_id":"T1020","href":"/ti/ttps/T1020"}],"related_campaigns":[],"reports":[{"title":"forge-jsx npm Package: Purpose-Built Multi-Platform RAT","url":"https://safedep.io/malicious-forge-jsx-npm-rat","published_at":"2026-04-15"},{"title":"forge-jsxy: Evolution of the forge-jsx npm RAT","url":"https://safedep.io/malicious-forge-jsxy-npm-rat-evolution","published_at":"2026-05-26"}]}