Malicious npm RAT Campaign Delivers Persistent Backdoor Access

A malicious Remote Access Trojan distributed via the npm package "forge-jsxy" (v1.0.66–v1.0.91) reappeared after an initial takedown, with the operator pushing rapid updates that turned it into a full-featured backdoor and infostealer. The agent performs system-wide keylogging and clipboard monitoring, exfiltrates shell history and .env secrets, scans for and validates cryptocurrency wallet keys (BIP39, Solana, secp256k1) for automated theft, harvests browser extension data across many Chromium-based browsers, maintains durable persistence across Linux/macOS/Windows, supports automatic upgrades via a WebSocket relay and peer-to-peer WebRTC channels, and exfiltrates stolen data to a C2 IP, Discord webhooks, and attacker-controlled Hugging Face repositories; the report includes IoCs (package names, C2 IP and ports, persistence paths, SHA-256) and remediation recommendations.