npm · Malicious package advisory
Malwarepinokio-redis
MAL-2026-6938
Malicious code in pinokio-redis (npm)
Details
pinokio-redis is a malicious npm package and part of the multi-wave "forge-jsx" cross-platform RAT campaign (Wave 4). It was published by npm account 'donimique' (donimiqueakers@gmail.com). The package.json description ('Node.js integration layer for Autodesk Forge') and the bundled README.md (literally titled "# forge-jsx") do not match the package name or the shipped code.
On npm install the declared postinstall chain (postinstall-clipboard-event.mjs, ensure-dist.mjs, postinstall-durable-materialize.mjs, postinstall-bootstrap.mjs, postinstall-agent.mjs) runs scripts/postinstall-agent.mjs, which spawns dist/cli-agent.js as a detached, window-hidden background process. The agent connects over WebSocket to a command-and-control relay whose host, ports and default password are stored as an AES-256-GCM blob in dist/deploymentCipherData.js and decrypted at runtime by XOR-reconstructing a 32-byte key from two halves embedded in dist/deploymentDefaults.js. The decrypted C2 configuration is publicHost 212.193.3.61, relayPort 9877 (WebSocket relay), apiPort 8765 (HTTP API), default password 'secret'. Postinstall also registers OS-level autostart (Windows Run key, macOS LaunchAgent, Linux systemd/XDG autostart; service name forge-js-worker) pointing at a durable copy of the agent stored in a hidden '.forge-jsxy' directory under the platform application-data folder, so the implant survives removal of the npm package.
Once running it performs credential-grade theft: dist/secretScan/agentStartupAudit.js walks the filesystem for BIP39-checksum-valid mnemonics, secp256k1/WIF private keys and BIP32 extended keys (xprv/tprv/zprv); dist/chromiumExtensionDbHarvest.js enumerates Chromium/Edge/Brave/Vivaldi/Yandex/Opera profiles across Windows, macOS and Linux and copies extension LevelDB stores (including MetaMask/Phantom-shaped wallet stores); harvested data is uploaded to the Hugging Face Hub using an embedded hf_ write token (dist/hfCredentials.js) or delivered via the relay; dist/hostInventorySend.js POSTs host inventory (hostname/platform/node/OS) to the relay and dist/discordRelayUpload.js forwards agent-side PNG screenshots to per-client Discord channels.
This is the first wave of the campaign to ship rotated AES key material (new DEPLOYMENT_KEY_A/KEY_B/MASK_A/MASK_B byte arrays, hex 12335cede9edad1edbce89fd3ef0836c8edd3778e48f3f38f2330198ec8b1eb0), verified byte-identical across the four donimique-account packages (zod-pino434, zod-pino444, zredis-typed, pinokio-redis) — a single shared build. C2 212.193.3.61 (AS206216, Advin Services LLC, Nurnberg DE) is reused from the Wave 3 pino-zod/zod-pino IP rotation. The campaign is definitively linked by shared C2 infrastructure, the hardcoded '.forge-jsxy' durable directory, the dist/deploymentCipherData.js + dist/deploymentDefaults.js XOR-key fingerprint, and the '# forge-jsx' README tell that spans multiple package names and npm accounts. Only one version of pinokio-redis (1.0.127) exists and all versions are malicious. Tarball SHA-256: a400b0342add77fd3a58e086334b35e11d79e234b180bb360f48adcd61ec4acd, SHA-1: 04b6035df92ef9eb790d64d425c05c51fce46ca7.
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (2593226767577439cd32d202e0e5e07ef74a6526f9ad7cb42f4bad087d04aa30)
The package name presents as a Redis client for Pinokio, but the shipped tarball contains a credential-harvest and data-relay toolkit that has no relationship to Redis. dist/discordRelayUpload.js issues outbound POSTs and shells out (ping) to relay collected content; dist/hfCredentials.js and dist/secretScan/contentScanner.js decode base64-embedded blobs (Buffer.from(..., 'base64')) at runtime; dist/secretScan/agentStartupAudit.js performs fetch() calls to huggingface.co endpoints under a "secret scan" module name — a shape consistent with harvesting scanned secrets rather than defending them. dist/deploymentDefaults.js and scripts/encode-deployment.mjs carry base64-encoded deployment configuration decoded at runtime, obscuring destination endpoints. scripts/postinstall-agent.mjs runs at npm install (postinstall) and issues network activity (GET, ping) on install without user interaction, providing auto-execution on default install. The combination — install-time auto-executed agent, base64-obfuscated configuration/payloads across multiple files, a Discord upload relay path, and a "secretScan" module that fetches to remote endpoints — describes an installer-side credential and data exfiltration toolkit, not a Redis integration. Name/purpose mismatch, install-time execution, and multi-file obfuscation together satisfy the active-attack shape.
## Source: ghsa-malware (d8c9c7ad731c0929056de138dff2c461e808854d25aea316f6fe865a3d04d8c0)
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Compromised versions (1)
- 1.0.127
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.