zod-pino444
discovered 2026-05-26zod-pino444 is a Wave 4 package in the forge-jsx RAT campaign, published by donimique ([email protected]) starting 2026-07-05, 20 minutes after zod-pino434's last version -- the same shared build-version counter behavior first observed in Wave 3 (two different package names sharing overlapping version numbers). Uses the same rotated AES key as zod-pino434, zredis-typed, and pinokio-redis (byte-identical deploymentCipherData.js). C2 config decrypts to publicHost 212.193.3.61, relayPort 9877, apiPort 8765, defaultExplorerPassword 'secret'. Durable directory hardcoded as .forge-jsxy. README.md is literally titled '# forge-jsx'. Versions 1.0.129 and 1.0.130 add a self-referential devDependency on the prior zod-pino444 version, an artifact of the operator's build/version-bump script.
Threat types
Malicious versions
- 1.0.128 · 93817e263f285f20…
- 1.0.129
- 1.0.130
- 1.0.131 · 1d4ef70d7856704b…
Campaigns
Indicators
- ipv4 212.193.3.61communicates-with
- url ws://212.193.3.61:9877communicates-with
- url http://212.193.3.61:8765communicates-with
- sha256 93817e263f285f20ed213eb07bbab2857493183c0abf9563facfc65fdd4467f7indicates
- sha256 1d4ef70d7856704b373579ae23cba0ebf690ef062b29361f6aa0f51a1cdd9052indicates
- email [email protected]indicates
- file_path ~/.config/systemd/user/forge-js-worker.servicedrops
- file_path ~/.config/autostart/forge-js-worker.desktopdrops
- file_path ~/Library/LaunchAgents/com.forgejs.worker.plistdrops
Techniques
- ttp T1195.002 Compromise Software Supply Chainuses
- ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttp T1547.001 Boot or Logon Autostart Execution: Registry Run Keysuses
- ttp T1547.004 Boot or Logon Autostart Execution: Launch Agentuses
- ttp T1543.002 Systemd Serviceuses
- ttp T1056.001 Input Capture: Keylogginguses
- ttp T1115 Clipboard Datauses
- ttp T1113 Screen Captureuses
- ttp T1005 Data from Local Systemuses
- ttp T1567.001 Exfiltration to Code Repositoryuses
- ttp T1071.001 Application Layer Protocol: Web Protocolsuses
- ttp T1027 Obfuscated Files or Informationuses
- ttp T1082 System Information Discoveryuses
- ttp T1217 Browser Information Discoveryuses
- ttp T1552.001 Unsecured Credentials: Credentials In Filesuses
- ttp T1020 Automated Exfiltrationuses