apintergrationpost
discovered 2026-06-21Full Linux remote access trojan with native C rootkit distributed as npm package. Compiles LD_PRELOAD rootkit during install, establishes triple persistence (LD_PRELOAD, cron, profile.d), masquerades as systemd-userdbd, uses fileless execution via memfd_create+fexecve, ptrace process injection, interactive PTY shell, file upload/download, live screen streaming (ffmpeg x11grab / grim for Wayland), process/network/file enumeration, and C2 beacon with log-normal jitter. Six versions published within 40 minutes by throwaway account kimijohn01. Dual naming: MYRA internally, apintergrationpost externally. Lab mode and embedded MITRE technique IDs suggest red team tooling origin or plausible deniability design. C2 is RFC 1918 private (192.168.54.1), unusual for public npm malware.
Threat types
Malicious versions
- 4.0.1 · 6f4da8919cef1623…
- 4.0.2 · bff1cee1548dfc29…
- 4.0.3 · ba8e9452c53f5b66…
- 4.0.4 · cc1287f3eb21f176…
- 4.0.5 · 2253a51ce77c72ca…
- 4.0.6 · a6c687f276034f5b…
Indicators
Techniques
- ttp T1059.004 Command and Scripting Interpreter: Unix Shelluses
- ttp T1036.004 Masquerading: Masquerade Task or Serviceuses
- ttp T1574.006 Hijack Execution Flow: Dynamic Linker Hijackinguses
- ttp T1053.003 Scheduled Task/Job: Cronuses
- ttp T1546.004 Event Triggered Execution: Unix Shell Configuration Modificationuses
- ttp T1027.011 Obfuscated Files or Information: Fileless Storageuses
- ttp T1055.008 Process Injection: Ptrace System Callsuses
- ttp T1113 Screen Captureuses
- ttp T1082 System Information Discoveryuses
- ttp T1057 Process Discoveryuses
- ttp T1049 System Network Connections Discoveryuses
- ttp T1083 File and Directory Discoveryuses
- ttp T1105 Ingress Tool Transferuses
- ttp T1071.001 Application Layer Protocol: Web Protocolsuses
- ttp T1573.002 Encrypted Channel: Asymmetric Cryptographyuses
- ttp T1029 Scheduled Transferuses
- ttp T1195.002 Compromise Software Supply Chainuses
