MAL-2026-3609
Vulnerability from ossf_malicious_packages
forge-jsxy is a malicious npm package part of the same campaign as forge-jsx. It typosquats the name by appending a 'y' and carries an identical fake description ('Node.js integration layer for Autodesk Forge') to impersonate a legitimate Autodesk Forge SDK. The package is a fully-formed RAT deployed from its first published version.
Installing the package on any non-CI machine triggers a multi-stage postinstall chain (postinstall-clipboard-event.mjs, postinstall-bootstrap.mjs, postinstall-agent.mjs) that silently deploys a persistent background agent. The agent captures all keystrokes via native hooks (uiohook-napi), monitors clipboard contents, recursively scans the filesystem for .env files and shell history, steals HuggingFace credentials, and opens a WebSocket-based remote filesystem backdoor for full file browsing and exfiltration. Screenshots are captured and exfiltrated via Discord webhooks. The C2 relay URL is AES-256-GCM encrypted inside the package bundle to hide it from static analysis. Persistence is established across reboots via systemd (Linux), LaunchAgent (macOS), and Task Scheduler (Windows). CI environments (GitHub Actions, GitLab CI, Travis, CircleCI, Jenkins, TeamCity) are detected and skipped to avoid sandbox exposure.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "forge-jsxy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "SEMVER"
}
]
}
],
"credits": [
{
"contact": [
"https://safedep.io"
],
"name": "SafeDep",
"type": "FINDER"
}
],
"database_specific": {
"malicious-packages-origins": null
},
"details": "forge-jsxy is a malicious npm package part of the same campaign as forge-jsx. It typosquats the name by appending a \u0027y\u0027 and carries an identical fake description (\u0027Node.js integration layer for Autodesk Forge\u0027) to impersonate a legitimate Autodesk Forge SDK. The package is a fully-formed RAT deployed from its first published version.\n\nInstalling the package on any non-CI machine triggers a multi-stage postinstall chain (postinstall-clipboard-event.mjs, postinstall-bootstrap.mjs, postinstall-agent.mjs) that silently deploys a persistent background agent. The agent captures all keystrokes via native hooks (uiohook-napi), monitors clipboard contents, recursively scans the filesystem for .env files and shell history, steals HuggingFace credentials, and opens a WebSocket-based remote filesystem backdoor for full file browsing and exfiltration. Screenshots are captured and exfiltrated via Discord webhooks. The C2 relay URL is AES-256-GCM encrypted inside the package bundle to hide it from static analysis. Persistence is established across reboots via systemd (Linux), LaunchAgent (macOS), and Task Scheduler (Windows). CI environments (GitHub Actions, GitLab CI, Travis, CircleCI, Jenkins, TeamCity) are detected and skipped to avoid sandbox exposure.",
"id": "MAL-2026-3609",
"modified": "2026-05-06T00:00:00Z",
"published": "2026-05-06T00:00:00Z",
"references": [
{
"type": "REPORT",
"url": "https://safedep.io/malicious-forge-jsx-npm-rat/"
}
],
"schema_version": "1.7.4",
"summary": "Malicious code in forge-jsxy (npm)"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.