npm

godsplan

godsplan is identified in the SafeDep analysis "ixpresso-core: Windows RAT Disguised as a WhatsApp Agent". ixpresso-core poses as an AI WhatsApp agent on npm but installs Veltrix, a Windows RAT that steals browser credentials, Discord tokens, and keystrokes via a hardcoded Discord webhook.

discovered 2026-04-16

Threat types

ratcredential_stealerdata_exfiltrationpersistencec2_agent

Malicious versions

1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8

Campaigns

fucktestpad npm Malwareattributed-to

Indicators

domaindiscord.comcommunicates-with
ipv40.0.0.0communicates-with
email[email protected]exfiltrates-to

Techniques

ttpT1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
ttpT1059.007 Command and Scripting Interpreter: JavaScriptuses
ttpT1552.001 Unsecured Credentials: Credentials In Filesuses
ttpT1041 Exfiltration Over C2 Channeluses
ttpT1528 Steal Application Access Tokenuses
ttpT1539 Steal Web Session Cookieuses
ttpT1105 Ingress Tool Transferuses
ttpT1071.001 Application Layer Protocol: Web Protocolsuses
ttpT1102 Web Serviceuses
ttpT1546 Event Triggered Executionuses

Read the full analysis →