@apexcraft/nano-key
discovered 2026-06-23Root package of the campaign and the named lineage. Versions 1.3.2-1.3.7 ship a ~277KB obfuscated payload (dist/cjs/seed.cjs) auto-executed via postinstall 'node ./dist/cjs/seed.cjs'; Amazon Inspector's fuller enumeration also lists 1.2.4/1.2.5 and 1.3.8 as malicious. Latest dist-tag was scrubbed to empty scripts to hide the hook. CORRECTED PAYLOAD (Amazon Inspector dynamic analysis supersedes the earlier static hypothesis): seed.cjs is a DOWNLOADER/LOADER. Behind env-var guards it spawns a detached child process, downloads a ~10.6MB Rust-compiled binary from GitHub Releases (github.com/angelmaybeth21-oss/test/releases/download/v1.0.0/{linux,mac,win.js}), and executes it. The Rust binary is the infostealer: 30+ crypto wallets (MetaMask/Phantom/Trust Wallet/Solflare/Keplr/Ledger/Trezor/...), browser credentials (Chrome/Brave/Firefox/Edge passwords/cookies/history/autofill/cards), cloud tokens (AWS/GCP/Azure/Kubernetes), SSH keys, Discord tokens + Telegram session data, developer creds (npm/.env/.npmrc/GitHub PAT/PyPI), and DB client connection strings. Persistence via a systemd USER service masquerading as a benign daemon (colord, haveged). Exfil: Windows -> Telegram Bot API (api.telegram.org, 149.154.166.110); Linux/macOS -> HTTP multipart/form-data (minreq), gated behind anti-VM checks. The earlier static hypothesis (self-contained Chromium credential stealer: Cookies/Login Data -> aes-256-gcm decrypt -> HTTPS exfil with spoofed Mozilla/5.0 UA) is SUPERSEDED; browser-credential theft is now one capability of the Rust second stage. SafeDep first-stage observations stand: obfuscator.io RC4+base64 decoder, guarded runPrepare()/onInstall() wrapper auto-fired via require.main===module, dynamic require. Build cluster A (string-array fn _0xe119, re-entrancy guard __EE9863E13F_TAG), shared with @briskforge and @chunklab.
Threat types
Malicious versions
- 1.2.4
- 1.2.5
- 1.3.2
- 1.3.3
- 1.3.4
- 1.3.5
- 1.3.6
- 1.3.7 · c8a2b8430b5fac70…
- 1.3.8
Campaigns
Indicators
- email [email protected]communicates-with
- sha256 618dfffb6829356c131fded9f4c6528b73b4f9d7ff1fc1d3b457599a12584e29indicates
- file_path require(_0x45af03['GyrZN'])indicates
- github_repo angelmaybeth21-oss/testdrops
- url https://github.com/angelmaybeth21-oss/test/releases/download/v1.0.0/linuxcommunicates-with
- url https://github.com/angelmaybeth21-oss/test/releases/download/v1.0.0/maccommunicates-with
- url https://github.com/angelmaybeth21-oss/test/releases/download/v1.0.0/win.jscommunicates-with
- sha256 2457b2e775a5fe7a9e022ba77074a1b9aacb41b4fc0cc1d8a3dc66546599c5dedrops
- sha256 b1c7b17f31a84e2596250121c3610ae5e0d592651940dd6c0dd74506f0f38313drops
- sha256 11fe3a47333f63fd0e0a32ea16351eb302659aba983c07e4ea3dc9b09b618509drops
- domain api.telegram.orgexfiltrates-to
- ipv4 149.154.166.110exfiltrates-to
- file_path /tmp/_installer-0/indicates
- file_path ~/.local/bin/<daemon>indicates
- file_path ~/.config/systemd/user/<daemon>.serviceindicates
- file_path ~/.local/state/<daemon>/{install.nonce,machine.id}indicates
Techniques
- ttp T1195.002 Compromise Software Supply Chainuses
- ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttp T1027 Obfuscated Files or Informationuses
- ttp T1555.003 Credentials from Password Stores: Web Browsersuses
- ttp T1539 Steal Web Session Cookieuses
- ttp T1071.001 Application Layer Protocol: Web Protocolsuses
- ttp T1105 Ingress Tool Transferuses
- ttp T1543.002 Create or Modify System Process: Systemd Serviceuses
- ttp T1102 Web Serviceuses
- ttp T1552.001 Unsecured Credentials: Credentials In Filesuses
- ttp T1555 Credentials from Password Storesuses