fucktestpad npm Malware
npm packages from a single operator delivering Windows RATs and browser cookie/credential stealers. Every variant exfiltrates to [email protected], linking the packages to one actor.
discovered 2026-04-16
Objective
Deploy RATs and steal browser cookies and credentials from developer machines.
Packages
Indicators
Techniques
- ttpT1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
- ttpT1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttpT1552.001 Unsecured Credentials: Credentials In Filesuses
- ttpT1041 Exfiltration Over C2 Channeluses
- ttpT1552.004 Unsecured Credentials: Private Keysuses
- ttpT1528 Steal Application Access Tokenuses
- ttpT1539 Steal Web Session Cookieuses
- ttpT1105 Ingress Tool Transferuses
- ttpT1071.001 Application Layer Protocol: Web Protocolsuses
- ttpT1102 Web Serviceuses
- ttpT1546 Event Triggered Executionuses
