forge-jsxy
forge-jsxy is the Wave 2 successor to forge-jsx, published after npm took down the original. It poses as an Autodesk Forge SDK and deploys a full-featured cross-platform RAT with keylogging, .env scanning, shell history exfiltration, Chromium extension LevelDB harvesting across 21+ browsers, cryptocurrency wallet scanning (BIP39/Solana/secp256k1), Discord screenshot exfiltration via bot webhooks, Hugging Face Hub data uploads, WebRTC P2P channels, durable persistence outside node_modules, and relay-pushed auto-upgrades. C2 at 204.10.194.247.
discovered 2026-05-26
Threat types
ratcredential_stealerdata_exfiltrationpersistencec2_agentcrypto_drainer
Malicious versions
- 1.0.66 · 8070daba5d6ca61c…
- 1.0.67
- 1.0.68
- 1.0.69
- 1.0.70
- 1.0.71
- 1.0.72
- 1.0.73
- 1.0.74
- 1.0.75
- 1.0.76
- 1.0.77
- 1.0.78
- 1.0.79
- 1.0.80
- 1.0.81
- 1.0.82
- 1.0.83
- 1.0.84
- 1.0.85
- 1.0.86
- 1.0.91 · 4938d47fe6216f8f…
Campaigns
Indicators
- ipv4204.10.194.247communicates-with
- urlws://204.10.194.247:9877communicates-with
- urlhttp://204.10.194.247:8765communicates-with
- sha2564938d47fe6216f8f9fee0527bf5112c04c15a9ea62f87869677619aa5400f09findicates
- sha2568070daba5d6ca61c357574526d1e0f468ae575a4edf74cc90a8d8b8c78e3aeefindicates
- email[email protected]indicates
- domaintaohunter.aicommunicates-with
- file_path~/.config/systemd/user/forge-js-worker.servicedrops
- file_path~/.config/autostart/forge-js-worker.desktopdrops
- file_path~/Library/LaunchAgents/com.forgejs.worker.plistdrops
Techniques
- ttpT1195.002 Supply Chain Compromise: Compromise Software Supply Chainuses
- ttpT1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttpT1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folderuses
- ttpT1547.004 Boot or Logon Autostart Execution: Launch Agentuses
- ttpT1543.002 Create or Modify System Process: Systemd Serviceuses
- ttpT1056.001 Input Capture: Keylogginguses
- ttpT1115 Clipboard Datauses
- ttpT1113 Screen Captureuses
- ttpT1005 Data from Local Systemuses
- ttpT1567.001 Exfiltration Over Web Service: Exfiltration to Code Repositoryuses
- ttpT1071.001 Application Layer Protocol: Web Protocolsuses
- ttpT1027 Obfuscated Files or Informationuses
- ttpT1082 System Information Discoveryuses
- ttpT1217 Browser Information Discoveryuses
- ttpT1552.001 Unsecured Credentials: Credentials In Filesuses
- ttpT1020 Automated Exfiltrationuses
