malware npm

compose-logger-stand

discovered 2026-05-26

compose-logger-stand is the Wave 4 bridge package in the forge-jsx RAT campaign, published by jacksondkeindlson ([email protected]) on 2026-07-02, closing the version gap between zod-pino's last version (v1.0.125) and the start of Wave 4's donimique cluster (v1.0.127). Poses as a logging/compose utility but description is unchanged ('Node.js integration layer for Autodesk Forge'). C2 config decrypts to the unmodified Wave 2/3 key and C2: publicHost 204.10.194.247, relayPort 9877, apiPort 8765, defaultExplorerPassword 'secret'. KEY_A/MASK_A byte arrays are an exact match to forge-jsxy/forge-jsx4. Durable directory hardcoded as .forge-jsxy. dist/ layout uses subdirectories (agent/, chromium/, clipboard/, core/, discord/, filesystem/, hf/, linux/, relay/, sync/, webrtc/) rather than the flat layout of later Wave 4 packages, but functional capability is unchanged. Only known version; only package published by this account.

Threat types

rat credential_stealer data_exfiltration persistence c2_agent crypto_drainer

Malicious versions

  • 1.0.126 · 0085d5b5d4a2bbb3…

Campaigns

Indicators

Techniques

Read the full analysis →