malware npm

@apexcraft/nano-key

discovered 2026-06-23

Root package of the campaign and the named lineage. Versions 1.3.2-1.3.7 ship a ~277KB obfuscated payload (dist/cjs/seed.cjs) auto-executed via postinstall 'node ./dist/cjs/seed.cjs'; Amazon Inspector's fuller enumeration also lists 1.2.4/1.2.5 and 1.3.8 as malicious. Latest dist-tag was scrubbed to empty scripts to hide the hook. CORRECTED PAYLOAD (Amazon Inspector dynamic analysis supersedes the earlier static hypothesis): seed.cjs is a DOWNLOADER/LOADER. Behind env-var guards it spawns a detached child process, downloads a ~10.6MB Rust-compiled binary from GitHub Releases (github.com/angelmaybeth21-oss/test/releases/download/v1.0.0/{linux,mac,win.js}), and executes it. The Rust binary is the infostealer: 30+ crypto wallets (MetaMask/Phantom/Trust Wallet/Solflare/Keplr/Ledger/Trezor/...), browser credentials (Chrome/Brave/Firefox/Edge passwords/cookies/history/autofill/cards), cloud tokens (AWS/GCP/Azure/Kubernetes), SSH keys, Discord tokens + Telegram session data, developer creds (npm/.env/.npmrc/GitHub PAT/PyPI), and DB client connection strings. Persistence via a systemd USER service masquerading as a benign daemon (colord, haveged). Exfil: Windows -> Telegram Bot API (api.telegram.org, 149.154.166.110); Linux/macOS -> HTTP multipart/form-data (minreq), gated behind anti-VM checks. The earlier static hypothesis (self-contained Chromium credential stealer: Cookies/Login Data -> aes-256-gcm decrypt -> HTTPS exfil with spoofed Mozilla/5.0 UA) is SUPERSEDED; browser-credential theft is now one capability of the Rust second stage. SafeDep first-stage observations stand: obfuscator.io RC4+base64 decoder, guarded runPrepare()/onInstall() wrapper auto-fired via require.main===module, dynamic require. Build cluster A (string-array fn _0xe119, re-entrancy guard __EE9863E13F_TAG), shared with @briskforge and @chunklab.

Threat types

credential_stealer data_exfiltration persistence crypto_drainer c2_agent typosquat other

Malicious versions

  • 1.2.4
  • 1.2.5
  • 1.3.2
  • 1.3.3
  • 1.3.4
  • 1.3.5
  • 1.3.6
  • 1.3.7 · c8a2b8430b5fac70…
  • 1.3.8

Campaigns

Indicators

Techniques

Read the full analysis →