A new malicious npm package, named forge-jsxy, has emerged, targeting cryptocurrency wallets, browser credentials, and sensitive developer information across Windows, macOS, and Linux systems. This package, first registered on May 4, 2026, underwent rapid development, releasing 22 versions in as many days. It stands out as one of the most actively developed malware instances on the npm platform.
The Rise of forge-jsxy
The origins of forge-jsxy trace back to an earlier package, forge-jsx, which was introduced on April 7, 2026. This predecessor operated undetected until its removal nearly a month later. Following this, a new account, jacksonkaandorp2, was created, immediately launching forge-jsxy as a continuation from version 1.0.66.
SafeDep analysts, who monitor malicious open-source packages, linked forge-jsxy to its predecessor through identical command-and-control configurations and encryption schemes. Disguised as a Node.js integration for Autodesk Forge, it appeared credible to developers exploring the registry.
Functionality and Development Phases
Upon installation, a concealed script began collecting data such as keystrokes, clipboard content, and desktop screenshots while avoiding detection in continuous integration environments. Over a 50-day period, the developer released 88 versions under both package names, with functionality akin to commercial spyware.
Development occurred in five phases, starting with versions 1.0.66 to 1.0.76, which included features like sending desktop screenshots to Discord. Subsequent phases added capabilities like remote file browsing and peer-to-peer data channels. On May 18, six versions launched within ten hours, focusing on cryptocurrency file scanning and hidden vault storage for sensitive data.
Persistent Threat and Recommendations
Despite uninstalling forge-jsxy, the malware persists. Starting with version 1.0.81, agent files were copied to hidden directories, allowing it to remain operational. These directories vary by operating system, and a corresponding startup service ensures the agent’s restart post-reboot.
SafeDep advises manual removal of the agent files and associated services. Developers impacted should consider all credentials compromised and generate new crypto wallets on secure systems. The potential for re-emergence under a new name is high if forge-jsxy is taken down.
Indicators of compromise include specific IP addresses, WebSocket and HTTP URLs, npm package versions, and persistence directory paths across operating systems. For further insights, security professionals are encouraged to consult threat intelligence platforms and advisories.
Stay updated with the latest cybersecurity developments by following us on Google News, LinkedIn, and X.
