malware npm

zod-pino434

discovered 2026-05-26

zod-pino434 is a Wave 4 package in the forge-jsx RAT campaign, published by a new npm account, donimique ([email protected]), starting 2026-07-04. First package in the campaign's history to use rotated AES key material (new KEY_A/KEY_B/MASK_A/MASK_B byte arrays, verified byte-identical deploymentCipherData.js against zod-pino444/zredis-typed/pinokio-redis -- single shared build). C2 config still decrypts to publicHost 212.193.3.61, relayPort 9877, apiPort 8765, defaultExplorerPassword 'secret' -- the same IP as Wave 3's pino-zod/zod-pino rotation, reused rather than rotated again. Durable directory hardcoded as .forge-jsxy. README.md is literally titled '# forge-jsx'. Full Phase 5 RAT feature set identical to prior waves.

Threat types

rat credential_stealer data_exfiltration persistence c2_agent crypto_drainer

Malicious versions

  • 1.0.127 · a99be9fe0e7d6606…
  • 1.0.128 · 9e570641fd815e2f…

Campaigns

Indicators

Techniques

Read the full analysis →