VYPR

npm · Malicious package advisory

Malware

forge-jsxy

MAL-2026-3609

Malicious code in forge-jsxy (npm)

Details

forge-jsxy is a malicious npm package part of the same campaign as forge-jsx. It typosquats the name by appending a 'y' and carries an identical fake description ('Node.js integration layer for Autodesk Forge') to impersonate a legitimate Autodesk Forge SDK. The package is a fully-formed RAT deployed from its first published version.

Installing the package on any non-CI machine triggers a multi-stage postinstall chain (postinstall-clipboard-event.mjs, postinstall-bootstrap.mjs, postinstall-agent.mjs) that silently deploys a persistent background agent. The agent captures all keystrokes via native hooks (uiohook-napi), monitors clipboard contents, recursively scans the filesystem for .env files and shell history, steals HuggingFace credentials, and opens a WebSocket-based remote filesystem backdoor for full file browsing and exfiltration. Screenshots are captured and exfiltrated via Discord webhooks. The C2 relay URL is AES-256-GCM encrypted inside the package bundle to hide it from static analysis. Persistence is established across reboots via systemd (Linux), LaunchAgent (macOS), and Task Scheduler (Windows). CI environments (GitHub Actions, GitLab CI, Travis, CircleCI, Jenkins, TeamCity) are detected and skipped to avoid sandbox exposure.

---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (0a0645a2d255ab04d1ce2754b77998d817d9066f86928a293eca787893e60bc3)
Package ships a postinstall script (scripts/postinstall-agent.mjs) and bundled runtime modules (dist/discordRelayUpload.js, dist/relayServer.js, dist/secretScan/agentStartupAudit.js, dist/hfCredentials.js, dist/deploymentDefaults.js) that include patterns commonly seen in both legitimate integrations and supply-chain attacks: base64-encoded blobs decoded via Buffer.from(..., 'base64'), HTTP POSTs, ping/network probes, and outbound fetches to huggingface.co. The naming and module shape (Discord relay upload, HuggingFace credentials, secret-scan agent startup audit, encode-deployment script, deployment defaults) is consistent with a legitimate developer-tool package that integrates with HuggingFace and Discord, but the combination of a postinstall agent script, base64-decoded deployment defaults, hardcoded credentials module, and a 'discordRelayUpload' path that performs POST requests warrants manual inspection. Without traced-code corroboration of the actual data flows (what is read from the installer's environment, where decoded blobs end up, whether postinstall-agent.mjs auto-fetches or executes remote content), the patterns alone do not establish installer-side harm versus a legitimate integration. Reviewer should specifically verify: (1) whether scripts/postinstall-agent.mjs reaches network destinations or executes fetched bytes at install, (2) what dist/deploymentDefaults.js's base64 blobs decode to and how they are used, (3) whether dist/discordRelayUpload.js POSTs caller-supplied data to a hardcoded Discord webhook (silent-relay shape) or only to user-configured destinations, (4) what dist/hfCredentials.js reads and where it sends it.

## Source: ghsa-malware (e049a1e1f4b2c3aa9f933a69305352f1351bd540dfc6535da1321e962d0888cc)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Compromised versions (7)

  • 1.0.105
  • 1.0.108
  • 1.0.121
  • 1.0.103
  • 1.0.120
  • 1.0.104
  • 1.0.107

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.