Cross-Platform NPM Stealer, (Fri, May 22nd)

This report presents a static analysis of a Node.js stealer that targets Windows (via WSL), macOS and Linux. It includes three payloads: a Chromium-family browser credential stealer (with a list of targeted browsers and wallet extension IDs), a recursive sensitive-file exfiltration scanner, and a WebSocket-based reverse shell; it provides IOCs (sample SHA256, C2 IP 216.126.225.243, ports 8085–8087, and a hardcoded HMAC key) and notes obfuscation consistent with obfuscator.io and use of axios for HTTP communications.