npm

backslash

backslash is identified in the SafeDep analysis "npm Supply Chain Attack: Multiple Popular Packages Hijacked (1B+ Weekly Downloads)". Complete analysis of sophisticated crypto wallet drainer found in 21 npm packages with over one billion weekly downloads. Includes detailed technical breakdown of 76KB malware payload disguised in [email protected] and multi-stage attack architecture.

discovered 2025-09-08

Threat types

crypto_drainer

Malicious versions

0.2.1

Campaigns

qix npm Account Compromiseattributed-to

Indicators

sha1fc4a4858bafef54d1b1d7697bfb5c52f4c166976indicates
md519111111111111111111111111111111indicates
wallet0x66a9893cC07D91D95644AEDD05D03f95e1dBA8Afexfiltrates-to
wallet0x10ed43c718714eb63d5aa57b78b54704e256024eexfiltrates-to
wallet0x13f4ea83d0bd40e75c8222255bc855a974568dd4exfiltrates-to
wallet0x1111111254eeb25477b68fb85ed929f73a960582exfiltrates-to
wallet0xd9e1ce17f2641f24ae83637ab66a2cca9c378b9fexfiltrates-to
wallet0xfc4a4858bafef54d1b1d7697bfb5c52f4c166976exfiltrates-to
wallet0x66a9893cc07d91d95644aedd05d03f95e1dba8afexfiltrates-to
wallet0xFc4a4858bafef54D1b1d7697bfb5c52F4c166976exfiltrates-to
wallet0xa29eeFb3f21Dc8FA8bce065Db4f4354AA683c024exfiltrates-to
wallet0x40C351B989113646bc4e9Dfe66AE66D24fE6Da7Bexfiltrates-to

Techniques

ttpT1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
ttpT1059.007 Command and Scripting Interpreter: JavaScriptuses
ttpT1041 Exfiltration Over C2 Channeluses
ttpT1552.004 Unsecured Credentials: Private Keysuses
ttpT1105 Ingress Tool Transferuses

Read the full analysis →