npm

@johntaohunter/forge-jsx

@johntaohunter/forge-jsx is identified in the SafeDep analysis "forge-jsx npm Package: Purpose-Built Multi-Platform RAT". forge-jsx poses as an Autodesk Forge SDK on npm. On install it deploys a system-wide keylogger, recursive .env file scanner, shell history exfiltrator, and a WebSocket-based remote filesystem backdoor to C2 at 204.10.194.247, with persistence via systemd, LaunchAgent, and Task Scheduler.

discovered 2026-04-15

Threat types

ratcredential_stealerdata_exfiltrationpersistencec2_agent

Malicious versions

1.0.4

Campaigns

forge-jsx RATattributed-to

Indicators

domain204.10.194.247communicates-with
ipv4204.10.194.247communicates-with
sha2564cb96c3b033c1aaf7b3d0fe54749058f14d4d914947a6d6d430aca108a7daa5aindicates
email[email protected]exfiltrates-to
email[email protected]exfiltrates-to

Techniques

ttpT1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
ttpT1059.007 Command and Scripting Interpreter: JavaScriptuses
ttpT1552.001 Unsecured Credentials: Credentials In Filesuses
ttpT1041 Exfiltration Over C2 Channeluses
ttpT1105 Ingress Tool Transferuses
ttpT1071.001 Application Layer Protocol: Web Protocolsuses
ttpT1546 Event Triggered Executionuses

Read the full analysis →