compose-logger-stand
discovered 2026-05-26compose-logger-stand is the Wave 4 bridge package in the forge-jsx RAT campaign, published by jacksondkeindlson ([email protected]) on 2026-07-02, closing the version gap between zod-pino's last version (v1.0.125) and the start of Wave 4's donimique cluster (v1.0.127). Poses as a logging/compose utility but description is unchanged ('Node.js integration layer for Autodesk Forge'). C2 config decrypts to the unmodified Wave 2/3 key and C2: publicHost 204.10.194.247, relayPort 9877, apiPort 8765, defaultExplorerPassword 'secret'. KEY_A/MASK_A byte arrays are an exact match to forge-jsxy/forge-jsx4. Durable directory hardcoded as .forge-jsxy. dist/ layout uses subdirectories (agent/, chromium/, clipboard/, core/, discord/, filesystem/, hf/, linux/, relay/, sync/, webrtc/) rather than the flat layout of later Wave 4 packages, but functional capability is unchanged. Only known version; only package published by this account.
Threat types
Malicious versions
- 1.0.126 · 0085d5b5d4a2bbb3…
Campaigns
Indicators
- ipv4 204.10.194.247communicates-with
- url ws://204.10.194.247:9877communicates-with
- url http://204.10.194.247:8765communicates-with
- sha256 0085d5b5d4a2bbb3fd1f38e6b251872d4f753aa8f1ac7f20524c521ff5ca5933indicates
- email [email protected]indicates
- file_path ~/.config/systemd/user/forge-js-worker.servicedrops
- file_path ~/.config/autostart/forge-js-worker.desktopdrops
- file_path ~/Library/LaunchAgents/com.forgejs.worker.plistdrops
Techniques
- ttp T1195.002 Compromise Software Supply Chainuses
- ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttp T1547.001 Boot or Logon Autostart Execution: Registry Run Keysuses
- ttp T1547.004 Boot or Logon Autostart Execution: Launch Agentuses
- ttp T1543.002 Systemd Serviceuses
- ttp T1056.001 Input Capture: Keylogginguses
- ttp T1115 Clipboard Datauses
- ttp T1113 Screen Captureuses
- ttp T1005 Data from Local Systemuses
- ttp T1567.001 Exfiltration to Code Repositoryuses
- ttp T1071.001 Application Layer Protocol: Web Protocolsuses
- ttp T1027 Obfuscated Files or Informationuses
- ttp T1082 System Information Discoveryuses
- ttp T1217 Browser Information Discoveryuses
- ttp T1552.001 Unsecured Credentials: Credentials In Filesuses
- ttp T1020 Automated Exfiltrationuses