malware
npm
zod-pino
discovered 2026-05-26zod-pino is a Wave 3 parallel package in the forge-jsx RAT campaign, published by rafael_silva ([email protected]) on 2026-06-22. Poses as a zod/pino integration utility. Full Phase 5 RAT feature set identical to forge-jsx4. C2 rotated to 212.193.3.61 (same ports 9877/8765, same default password 'secret'). Durable directory hardcoded as .forge-jsxy (copy-paste OPSEC failure). First simultaneous multi-package operation: active at same time as forge-jsx4 and pino-zod.
Threat types
rat credential_stealer data_exfiltration persistence c2_agent crypto_drainer
Malicious versions
- 1.0.122
- 1.0.123
- 1.0.124
- 1.0.125 · 1f7616b3c38f8586…
Campaigns
Indicators
- ipv4 212.193.3.61communicates-with
- url ws://212.193.3.61:9877communicates-with
- url http://212.193.3.61:8765communicates-with
- sha256 1f7616b3c38f85860abd9ae989d72915e9c13f0d106804471a811a38d63e5293indicates
- email [email protected]indicates
- file_path ~/.config/systemd/user/forge-js-worker.servicedrops
- file_path ~/.config/autostart/forge-js-worker.desktopdrops
- file_path ~/Library/LaunchAgents/com.forgejs.worker.plistdrops
Techniques
- ttp T1195.002 Compromise Software Supply Chainuses
- ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttp T1547.001 Boot or Logon Autostart Execution: Registry Run Keysuses
- ttp T1547.004 Boot or Logon Autostart Execution: Launch Agentuses
- ttp T1543.002 Create or Modify System Process: Systemd Serviceuses
- ttp T1056.001 Input Capture: Keylogginguses
- ttp T1115 Clipboard Datauses
- ttp T1113 Screen Captureuses
- ttp T1005 Data from Local Systemuses
- ttp T1567.001 Exfiltration to Code Repositoryuses
- ttp T1071.001 Application Layer Protocol: Web Protocolsuses
- ttp T1027 Obfuscated Files or Informationuses
- ttp T1082 System Information Discoveryuses
- ttp T1217 Browser Information Discoveryuses
- ttp T1552.001 Unsecured Credentials: Credentials In Filesuses
- ttp T1020 Automated Exfiltrationuses