ACTIVELY ONGOING single-actor npm supply chain campaign, named for the wshu.net publisher infrastructure that ties its members together; @apexcraft/nano-key is the convicted ROOT/lineage member (secondary identifier). Amazon Inspector security research (Chi Tran, 2026-06-19) independently documented the SAME cluster as 'Operation Friday Harvest' (same 13 wshu.net scopes, same <scope>-<6char>@wshu.net burner pattern, same ~260-282KB obfuscator.io payload, same dual-trigger) - independent corroboration that raises confidence on the cluster to HIGH/confirmed. Confirmed members now total 15 packages across 13 throwaway scopes seeded on 2026-06-04; THREE of those scopes (@zynkit, @frostnode, @gleamkit) each hold a payload-free scope-reservation probe stub. Amazon Inspector's fuller version enumeration shows 64 malicious versions across the cluster (broader ranges than SafeDep statically pulled - e.g. @apexcraft/nano-key 1.2.4/1.2.5/1.3.2-1.3.8, @glitchpad/throttler 2.1.1/2.2.1-2.2.4, @nullzero/urlcat 1.4.0-1.4.3, @tinyfox/shapecheck 0.7.4/0.8.5-0.8.8, @zynkit/jwtbytes 0.4.3/0.5.1-0.5.4). Each payload package masquerades as a small developer utility (JWT/byte helper, retry wrapper, shape validator, throttler, logger, hex parser, env validator, datetime lib, RxJS poll operator) but ships a 259-282KB javascript-obfuscator payload blob executed via a postinstall hook. CORRECTED PAYLOAD BEHAVIOR (Amazon Inspector dynamic analysis SUPERSEDES the earlier static hypothesis): the obfuscated JS blob is a DOWNLOADER/LOADER, not a self-contained browser-credential stealer. It spawns a detached child process behind env-var guards, downloads a ~10.6MB Rust-compiled binary from GitHub Releases (github.com/angelmaybeth21-oss/test/releases/download/v1.0.0/{linux,mac,win.js}), and executes it. The Rust binary is the actual infostealer: 30+ crypto wallets (MetaMask, Phantom, Trust Wallet, Solflare, Keplr, Ledger, Trezor, ...), browser credentials (Chrome/Brave/Firefox/Edge passwords/cookies/history/autofill/cards), cloud tokens (AWS/GCP/Azure/Kubernetes), SSH keys, Discord tokens + Telegram session data, developer creds (npm tokens/.env/.npmrc/GitHub PAT/PyPI tokens), and DB client connection strings (DBeaver/pgAdmin/MongoDB Compass). Persistence: a systemd USER service masquerading as a benign daemon (observed colord, haveged) at ~/.local/bin/<daemon> + ~/.config/systemd/user/<daemon>.service. Exfil C2: the Windows variant uses the Telegram Bot API (api.telegram.org, 149.154.166.110); Linux/macOS variants POST multipart/form-data over HTTP (minreq lib), gated behind anti-VM checks (Windows is NOT gated). The EARLIER static hypothesis - that the payload was itself the convicted @apexcraft/nano-key Chromium browser-credential stealer (Cookies/Login Data -> aes-256-gcm decrypt -> HTTPS exfil) - is now SUPERSEDED by this confirmed downloader->Rust-infostealer chain; browser-credential theft survives only as one capability of the Rust second stage, not the whole payload. SafeDep's independently-verified FIRST-STAGE observations stand: obfuscator.io RC4+base64 string decoder, the guarded runPrepare()/onInstall() wrapper auto-fired via require.main===module, dynamic require to keep module names out of the static graph, and byte-identical/near-identical compiled blobs. The STRONGER pivot is the GitHub delivery account angelmaybeth21-oss (created 2026-06-03; repo 'test' now removed but account live) and secondary smilingdusty233 (created 2026-05-31) - not the shared disposable wshu.net email. The DURABLE campaign fingerprint is the shared obfuscator.io template plus 5 build clusters (A-E) keyed by string-array function name and re-entrancy guard tag (A=_0xe119/__EE9863E13F_TAG: @apexcraft,@briskforge,@chunklab; B=_0x36b9/__7D0A53D40B_TAG: @glitchpad,@nullzero,@lazyutil; C=_0x175f/__38CC632841_TAG: @petitcode,@tinyfox,@thymelab,@zynkit; D=_0x5da4/__70FE9F7AB6_TAG: @bytemend; E=_0x15fd/__4C6BA78C7C_TAG: @frostnode) - members in the same cluster share the same obfuscator seed, which explains SafeDep's byte-identical-blob finding. CORRECTION: wshu.net is a PUBLIC DISPOSABLE-EMAIL provider (on disposable-email-domains, fakefilter, MISP warninglists, authgear's free-email list, and in unrelated apps' temp-mail signup logs), so the wshu.net domain ALONE is a NOISY pivot, NOT a unique attacker-owned indicator. Latest dist-tag of every payload package was republished with empty scripts to evade casual npm view metadata checks while the payload remains in mid-versions. @nullzero/urlcat (publisher [email protected]) is a same-actor member whose flagged version 1.4.2 was UNPUBLISHED before SafeDep static inspection. The earlier noon-contracts npm package (2026-05-10, publisher [email protected]) shares ONLY the disposable-email provider, not payload or code; that link is WEAKENED - treat it as a low/medium-confidence lead.
Objective
Compromise developer and CI hosts at scale: install-time obfuscated npm packages download and run a Rust-compiled infostealer that harvests crypto wallets, browser credentials, cloud/SSH/developer tokens, and chat-app sessions, exfiltrated via Telegram (Windows) or HTTP multipart (Linux/macOS).
Related campaigns
Packages
- npm @apexcraft/nano-keyattributed-to
- npm @bytemend/mfebusattributed-to
- npm @chunklab/hexparseattributed-to
- npm @zynkit/jwtbytesattributed-to
- npm @zynkit/probeattributed-to
- npm @petitcode/eb-retryattributed-to
- npm @tinyfox/shapecheckattributed-to
- npm @glitchpad/throttlerattributed-to
- npm @thymelab/logfxattributed-to
- npm @briskforge/envcheckattributed-to
- npm @lazyutil/daterattributed-to
- npm @frostnode/waitforattributed-to
- npm @nullzero/urlcatattributed-to
- npm @frostnode/probeattributed-to
- npm @gleamkit/probeattributed-to
Indicators
- domain wshu.netindicates
- file_path require(_0x45af03['GyrZN'])indicates
- email [email protected]indicates
- github_repo angelmaybeth21-oss/testindicates
- github_repo smilingdusty233indicates
- file_path __[0-9A-F]{10}_TAGindicates
- email [email protected]communicates-with
- sha256 618dfffb6829356c131fded9f4c6528b73b4f9d7ff1fc1d3b457599a12584e29indicates
- url https://github.com/angelmaybeth21-oss/test/releases/download/v1.0.0/linuxcommunicates-with
- url https://github.com/angelmaybeth21-oss/test/releases/download/v1.0.0/maccommunicates-with
- url https://github.com/angelmaybeth21-oss/test/releases/download/v1.0.0/win.jscommunicates-with
- sha256 2457b2e775a5fe7a9e022ba77074a1b9aacb41b4fc0cc1d8a3dc66546599c5dedrops
- sha256 b1c7b17f31a84e2596250121c3610ae5e0d592651940dd6c0dd74506f0f38313drops
- sha256 11fe3a47333f63fd0e0a32ea16351eb302659aba983c07e4ea3dc9b09b618509drops
- domain api.telegram.orgexfiltrates-to
- ipv4 149.154.166.110exfiltrates-to
- file_path /tmp/_installer-0/indicates
- file_path ~/.local/bin/<daemon>indicates
- file_path ~/.config/systemd/user/<daemon>.serviceindicates
- file_path ~/.local/state/<daemon>/{install.nonce,machine.id}indicates
- email [email protected]communicates-with
- sha256 a9a28f2e9f7e0348092682940b3bf63d47a63afc18eb8bfe628e5ddab0d73b47indicates
- email [email protected]communicates-with
- sha256 24c8f9b8ac17c2f88cc01d44543963206472112510962b68cf5f74d598b3b065indicates
- email [email protected]communicates-with
- sha256 d06ee17d30ebb333ab2e5b6e8a1324fcf95edaaae17b6793ec0f3647338efda1indicates
- email [email protected]communicates-with
- sha256 32d02f806d58a6670f7cc9b93f1d85b22e0e0f535e1f90a62d86918033896f54indicates
- email [email protected]communicates-with
- sha256 0d27ca72b6f02faf4db95effb18347a7e2fa2def2034707bf9e56fa217879a3bindicates
- email [email protected]communicates-with
- sha256 68b4fe54a4c05cd0115535ebd4aa8d3cccb03ea5a685f440314814ba1b89e875indicates
- email [email protected]communicates-with
- sha256 4e927f22ad04f4ac9b487ae11412fc2a55210188789ac29f3a47ad77931907a5indicates
- email [email protected]communicates-with
- sha256 26ddfae644673e0ad65b63caaaf67c0f7dc6c2b2b4127bb5271f8d03fb62091aindicates
- email [email protected]communicates-with
- email [email protected]communicates-with
- sha256 2de602e6422a991346aaf0b74ed6bd525215f5177b9f7f267ccb4d82e919273dindicates
- file_path require(_0x2cb1b0['UGeLH'])indicates
- email [email protected]communicates-with
- email [email protected]communicates-with
Techniques
- ttp T1195.002 Compromise Software Supply Chainuses
- ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttp T1027 Obfuscated Files or Informationuses
- ttp T1555.003 Credentials from Password Stores: Web Browsersuses
- ttp T1539 Steal Web Session Cookieuses
- ttp T1071.001 Application Layer Protocol: Web Protocolsuses
- ttp T1105 Ingress Tool Transferuses
- ttp T1543.002 Create or Modify System Process: Systemd Serviceuses
- ttp T1102 Web Serviceuses
- ttp T1552.001 Unsecured Credentials: Credentials In Filesuses
- ttp T1555 Credentials from Password Storesuses
- ttp T1036 Masqueradinguses