forge-jsx RAT
Multi-wave npm supply chain campaign deploying a cross-platform RAT disguised as Autodesk Forge SDK packages. Uses shared C2 infrastructure at 204.10.194.247 across waves. Wave 1 (forge-jsx, April 2026) provided base RAT capabilities. Wave 2 (forge-jsxy, May 2026) added Discord screenshot exfiltration, Hugging Face uploads, crypto wallet scanning, Chromium extension harvesting, WebRTC P2P, and durable persistence outside node_modules.
discovered 2026-04-15
Packages
Indicators
- domain204.10.194.247communicates-with
- ipv4204.10.194.247communicates-with
- sha2564cb96c3b033c1aaf7b3d0fe54749058f14d4d914947a6d6d430aca108a7daa5aindicates
- email[email protected]exfiltrates-to
- email[email protected]exfiltrates-to
- urlws://204.10.194.247:9877communicates-with
- urlhttp://204.10.194.247:8765communicates-with
- sha2564938d47fe6216f8f9fee0527bf5112c04c15a9ea62f87869677619aa5400f09findicates
- sha2568070daba5d6ca61c357574526d1e0f468ae575a4edf74cc90a8d8b8c78e3aeefindicates
- email[email protected]indicates
- domaintaohunter.aicommunicates-with
- file_path~/.config/systemd/user/forge-js-worker.servicedrops
- file_path~/.config/autostart/forge-js-worker.desktopdrops
- file_path~/Library/LaunchAgents/com.forgejs.worker.plistdrops
Techniques
- ttpT1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
- ttpT1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttpT1552.001 Unsecured Credentials: Credentials In Filesuses
- ttpT1041 Exfiltration Over C2 Channeluses
- ttpT1105 Ingress Tool Transferuses
- ttpT1071.001 Application Layer Protocol: Web Protocolsuses
- ttpT1546 Event Triggered Executionuses
- ttpT1195.002 Supply Chain Compromise: Compromise Software Supply Chainuses
- ttpT1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folderuses
- ttpT1547.004 Boot or Logon Autostart Execution: Launch Agentuses
- ttpT1543.002 Create or Modify System Process: Systemd Serviceuses
- ttpT1056.001 Input Capture: Keylogginguses
- ttpT1115 Clipboard Datauses
- ttpT1113 Screen Captureuses
- ttpT1005 Data from Local Systemuses
- ttpT1567.001 Exfiltration Over Web Service: Exfiltration to Code Repositoryuses
- ttpT1027 Obfuscated Files or Informationuses
- ttpT1082 System Information Discoveryuses
- ttpT1217 Browser Information Discoveryuses
- ttpT1020 Automated Exfiltrationuses
