Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
22 Versions of Malicious npm Package Exploit Crypto Wallets

22 Versions of Malicious npm Package Exploit Crypto Wallets

Posted on May 27, 2026 By CWS

A new malicious npm package, named forge-jsxy, has emerged, targeting cryptocurrency wallets, browser credentials, and sensitive developer information across Windows, macOS, and Linux systems. This package, first registered on May 4, 2026, underwent rapid development, releasing 22 versions in as many days. It stands out as one of the most actively developed malware instances on the npm platform.

The Rise of forge-jsxy

The origins of forge-jsxy trace back to an earlier package, forge-jsx, which was introduced on April 7, 2026. This predecessor operated undetected until its removal nearly a month later. Following this, a new account, jacksonkaandorp2, was created, immediately launching forge-jsxy as a continuation from version 1.0.66.

SafeDep analysts, who monitor malicious open-source packages, linked forge-jsxy to its predecessor through identical command-and-control configurations and encryption schemes. Disguised as a Node.js integration for Autodesk Forge, it appeared credible to developers exploring the registry.

Functionality and Development Phases

Upon installation, a concealed script began collecting data such as keystrokes, clipboard content, and desktop screenshots while avoiding detection in continuous integration environments. Over a 50-day period, the developer released 88 versions under both package names, with functionality akin to commercial spyware.

Development occurred in five phases, starting with versions 1.0.66 to 1.0.76, which included features like sending desktop screenshots to Discord. Subsequent phases added capabilities like remote file browsing and peer-to-peer data channels. On May 18, six versions launched within ten hours, focusing on cryptocurrency file scanning and hidden vault storage for sensitive data.

Persistent Threat and Recommendations

Despite uninstalling forge-jsxy, the malware persists. Starting with version 1.0.81, agent files were copied to hidden directories, allowing it to remain operational. These directories vary by operating system, and a corresponding startup service ensures the agent’s restart post-reboot.

SafeDep advises manual removal of the agent files and associated services. Developers impacted should consider all credentials compromised and generate new crypto wallets on secure systems. The potential for re-emergence under a new name is high if forge-jsxy is taken down.

Indicators of compromise include specific IP addresses, WebSocket and HTTP URLs, npm package versions, and persistence directory paths across operating systems. For further insights, security professionals are encouraged to consult threat intelligence platforms and advisories.

Stay updated with the latest cybersecurity developments by following us on Google News, LinkedIn, and X.

Cyber Security News Tags:crypto wallets, cryptocurrency theft, Cybersecurity, developer security, Linux, macOS, Malware, network security, Node.js, NPM, npm registry, Open Source, persistent malware, software vulnerabilities, supply chain attacks, Windows

Post navigation

Previous Post: Fake Software Installers Spread DinDoor Malware Backdoor
Next Post: Hackers Exploit AI Tools to Spread Malicious Software

Related Posts

Apache HTTP Server 2.4.64 Released With Patch for 8 Vulnerabilities Apache HTTP Server 2.4.64 Released With Patch for 8 Vulnerabilities Cyber Security News
Apache SeaTunnel Vulnerability Allows Unauthorized Users to Perform Deserialization Attack Apache SeaTunnel Vulnerability Allows Unauthorized Users to Perform Deserialization Attack Cyber Security News
Instagram, Facebook, and WhatsApp to Test New Premium Subscriptions Instagram, Facebook, and WhatsApp to Test New Premium Subscriptions Cyber Security News
Senator Calls for FTC Investigation into Microsoft’s Use of Outdated RC4 Encryption and Kerberoasting Vulnerabilities Senator Calls for FTC Investigation into Microsoft’s Use of Outdated RC4 Encryption and Kerberoasting Vulnerabilities Cyber Security News
Chinese Threat Actors Using 2,800 Malicious Domains to Deliver Windows-Specific Malware Chinese Threat Actors Using 2,800 Malicious Domains to Deliver Windows-Specific Malware Cyber Security News
Critical Flaw in Perplexity’s Comet Browser Exploited Critical Flaw in Perplexity’s Comet Browser Exploited Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • KittySploit: AI-Driven PenTesting with Over 1150 Modules
  • Cybersecurity Update: Linux Flaws, Ubiquiti Issues, Accenture Breach
  • Apple Accuses OpenAI of Trade Secret Misappropriation
  • Espionage Campaigns Target Pakistani Police Portals
  • Compromised jscrambler npm Package Drops Infostealer

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • KittySploit: AI-Driven PenTesting with Over 1150 Modules
  • Cybersecurity Update: Linux Flaws, Ubiquiti Issues, Accenture Breach
  • Apple Accuses OpenAI of Trade Secret Misappropriation
  • Espionage Campaigns Target Pakistani Police Portals
  • Compromised jscrambler npm Package Drops Infostealer

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark