malware
npm
pino-zod
discovered 2026-05-26pino-zod is a Wave 3 parallel package in the forge-jsx RAT campaign, published by rafael_silva ([email protected]) on 2026-06-22. Poses as a pino/zod integration utility. Full Phase 5 RAT feature set identical to forge-jsx4. C2 rotated to 212.193.3.61 (same ports 9877/8765, same default password 'secret'). Durable directory hardcoded as .forge-jsxy (copy-paste OPSEC failure). First simultaneous multi-package operation: active at same time as forge-jsx4 and zod-pino.
Threat types
rat credential_stealer data_exfiltration persistence c2_agent crypto_drainer
Malicious versions
- 1.0.121
- 1.0.122 · 0eb72e0794c7e51c…
Campaigns
Indicators
- ipv4 212.193.3.61communicates-with
- url ws://212.193.3.61:9877communicates-with
- url http://212.193.3.61:8765communicates-with
- sha256 0eb72e0794c7e51ca1d790c443b5f573e1288bad6e6c56d1bd9c4b69a71d65d0indicates
- email [email protected]indicates
- file_path ~/.config/systemd/user/forge-js-worker.servicedrops
- file_path ~/.config/autostart/forge-js-worker.desktopdrops
- file_path ~/Library/LaunchAgents/com.forgejs.worker.plistdrops
Techniques
- ttp T1195.002 Compromise Software Supply Chainuses
- ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttp T1547.001 Boot or Logon Autostart Execution: Registry Run Keysuses
- ttp T1547.004 Boot or Logon Autostart Execution: Launch Agentuses
- ttp T1543.002 Create or Modify System Process: Systemd Serviceuses
- ttp T1056.001 Input Capture: Keylogginguses
- ttp T1115 Clipboard Datauses
- ttp T1113 Screen Captureuses
- ttp T1005 Data from Local Systemuses
- ttp T1567.001 Exfiltration to Code Repositoryuses
- ttp T1071.001 Application Layer Protocol: Web Protocolsuses
- ttp T1027 Obfuscated Files or Informationuses
- ttp T1082 System Information Discoveryuses
- ttp T1217 Browser Information Discoveryuses
- ttp T1552.001 Unsecured Credentials: Credentials In Filesuses
- ttp T1020 Automated Exfiltrationuses