malware npm

pino-zod

discovered 2026-05-26

pino-zod is a Wave 3 parallel package in the forge-jsx RAT campaign, published by rafael_silva ([email protected]) on 2026-06-22. Poses as a pino/zod integration utility. Full Phase 5 RAT feature set identical to forge-jsx4. C2 rotated to 212.193.3.61 (same ports 9877/8765, same default password 'secret'). Durable directory hardcoded as .forge-jsxy (copy-paste OPSEC failure). First simultaneous multi-package operation: active at same time as forge-jsx4 and zod-pino.

Threat types

rat credential_stealer data_exfiltration persistence c2_agent crypto_drainer

Malicious versions

  • 1.0.121
  • 1.0.122 · 0eb72e0794c7e51c…

Campaigns

Indicators

Techniques

Read the full analysis →