npm

express-session-js

express-session-js is identified in the SafeDep analysis "Malicious npm Package express-session-js Drops Full RAT Payload". A malicious npm package typosquatting express-session fetches and executes a full Remote Access Trojan from a paste service, targeting browser credentials, crypto wallets, SSH keys, and more.

discovered 2026-04-02

Threat types

ratcredential_stealercrypto_drainerdata_exfiltrationc2_agent

Malicious versions

1.19.0

Campaigns

No Specific Campaignattributed-to

Indicators

domainjsonkeeper.comcommunicates-with
domain216.126.237.71communicates-with
ipv4216.126.237.71communicates-with
ipv4216.126.229.166communicates-with
ipv4216.126.227.239communicates-with
sha256b5cca27ca1d792bd8c46b83fccfa4e5ba38916eb78877a19cbb39392ce98cc39indicates
md5a36adbc35e69b22acbf9f834a0deb286indicates
email[email protected]exfiltrates-to

Techniques

ttpT1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
ttpT1059.007 Command and Scripting Interpreter: JavaScriptuses
ttpT1036 Masquerading: package impersonation and typosquattinguses
ttpT1552.001 Unsecured Credentials: Credentials In Filesuses
ttpT1041 Exfiltration Over C2 Channeluses
ttpT1552.004 Unsecured Credentials: Private Keysuses
ttpT1539 Steal Web Session Cookieuses
ttpT1105 Ingress Tool Transferuses
ttpT1071.001 Application Layer Protocol: Web Protocolsuses

Read the full analysis →