logo

XPACK Malware Disguises Cryptocurrency Extortion as NPM Package Monetization

ID: cf7cd2cf-704a-598a-8ec2-17ddae803576

STIX ID: report--cf7cd2cf-704a-598a-8ec2-17ddae803576

Feed Name: OpenSourceMalware Blog

Threat Score
75/100

Date Published: 2026-02-09

Date Updated: 2026-06-20

Author: c0a15726-c5b1-4b0d-85e6-fe15553df9e2

...
...

XPACK is a coordinated malicious npm campaign that published multiple packages containing a preinstall hook which fingerprints the device, harvests GitHub identities, exfiltrates data to a Vercel-hosted C2, and enforces a crypto "payment required" (HTTP 402) paywall that blocks installation until a 0.1 USDC/ETH payment is made; the report provides technical analysis, IOCs (domains, wallet, package names, file hashes), timeline, and attribution to npm user dev.chandra_bose.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.