malware npm

zod-pino

discovered 2026-05-26

zod-pino is a Wave 3 parallel package in the forge-jsx RAT campaign, published by rafael_silva ([email protected]) on 2026-06-22. Poses as a zod/pino integration utility. Full Phase 5 RAT feature set identical to forge-jsx4. C2 rotated to 212.193.3.61 (same ports 9877/8765, same default password 'secret'). Durable directory hardcoded as .forge-jsxy (copy-paste OPSEC failure). First simultaneous multi-package operation: active at same time as forge-jsx4 and pino-zod.

Threat types

rat credential_stealer data_exfiltration persistence c2_agent crypto_drainer

Malicious versions

  • 1.0.122
  • 1.0.123
  • 1.0.124
  • 1.0.125 · 1f7616b3c38f8586…

Campaigns

Indicators

Techniques

Read the full analysis →