npm

sjs-lint-build1

sjs-lint-build1 is identified in the SafeDep analysis "big.js Typosquat Campaign Implants SSH Backdoors". Three waves of big.js typosquats (sjs-biginteger, bjs-biginteger, cjs-biginteger) from throwaway npm accounts implant SSH backdoors and exfiltrate credentials to Cloudflare-disguised C2 infrastructure.

discovered 2026-04-09

Threat types

credential_stealerdata_exfiltrationratpersistencec2_agenttyposquat

Malicious versions

1.0.0

Campaigns

big.js Typosquat SSH Backdoorattributed-to

Indicators

domaincloudflareinsights.vercel.appcommunicates-with
domaincloudflarefirewall.vercel.appcommunicates-with
sha25655bee3abfa26a78989baae1053a778d3b4a984d5451621a851211a45fe2a82b9indicates
sha25602a00a158ceedaaf7a4bf53002a74d60339d4668d463831fe218905816b72e07indicates
sha2569d2037fc0ad9ada672d30e17a9496cbde392c5093a9fde0b8f16d28e2e0c50c7indicates
sha2567bff4518f4d49ddf3d04d8167a6f5f17aed9b3703290f65cf71c61ea61f0a7bcindicates
sha256aa36d4bee44ee1d35af0e211e8cca957044c782b177787b1181d18d6d6323037indicates
sha256f4914c528cf92a7e97ac3b24138afb86b4cd9db6960d92ffbbff36a1fb90ead9indicates
sha256fc095d3e6a613e27d267d80b448101ef78b02ec07dd3993c734202839015fb54indicates
sha25686f60a2196c3d1355efdcfee41f1549c30c6081bf6c106d11e44a64691f8ebd3indicates
email[email protected]exfiltrates-to
email[email protected]exfiltrates-to

Techniques

ttpT1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
ttpT1059.007 Command and Scripting Interpreter: JavaScriptuses
ttpT1036 Masquerading: package impersonation and typosquattinguses
ttpT1552.001 Unsecured Credentials: Credentials In Filesuses
ttpT1041 Exfiltration Over C2 Channeluses
ttpT1552.004 Unsecured Credentials: Private Keysuses
ttpT1105 Ingress Tool Transferuses
ttpT1071.001 Application Layer Protocol: Web Protocolsuses
ttpT1546 Event Triggered Executionuses
ttpT1027 Obfuscated Files or Informationuses

Read the full analysis →