malware npm

zod-pino444

discovered 2026-05-26

zod-pino444 is a Wave 4 package in the forge-jsx RAT campaign, published by donimique ([email protected]) starting 2026-07-05, 20 minutes after zod-pino434's last version -- the same shared build-version counter behavior first observed in Wave 3 (two different package names sharing overlapping version numbers). Uses the same rotated AES key as zod-pino434, zredis-typed, and pinokio-redis (byte-identical deploymentCipherData.js). C2 config decrypts to publicHost 212.193.3.61, relayPort 9877, apiPort 8765, defaultExplorerPassword 'secret'. Durable directory hardcoded as .forge-jsxy. README.md is literally titled '# forge-jsx'. Versions 1.0.129 and 1.0.130 add a self-referential devDependency on the prior zod-pino444 version, an artifact of the operator's build/version-bump script.

Threat types

rat credential_stealer data_exfiltration persistence c2_agent crypto_drainer

Malicious versions

  • 1.0.128 · 93817e263f285f20…
  • 1.0.129
  • 1.0.130
  • 1.0.131 · 1d4ef70d7856704b…

Campaigns

Indicators

Techniques

Read the full analysis →