malware npm

pinokio-redis

discovered 2026-05-26

pinokio-redis is a Wave 4 package in the forge-jsx RAT campaign, published by donimique ([email protected]) on 2026-07-06, roughly 12 hours after zredis-typed. Only known version; user (SafeDep) confirmed all versions of pinokio-redis are malicious. Uses the same rotated AES key as zod-pino434, zod-pino444, and zredis-typed (byte-identical deploymentCipherData.js -- single shared build). C2 config decrypts to publicHost 212.193.3.61, relayPort 9877, apiPort 8765, defaultExplorerPassword 'secret'. Durable directory hardcoded as .forge-jsxy. README.md is literally titled '# forge-jsx'. As of this analysis (2026-07-06) still live on npm.

Threat types

rat credential_stealer data_exfiltration persistence c2_agent crypto_drainer

Malicious versions

  • 1.0.127 · a400b0342add77fd…

Campaigns

Indicators

Techniques

Read the full analysis →