OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6575 confirms this npm version as malicious. Package @ibrahim1337/baksen ships a Windows x64 infostealer toolkit that targets Chromium-family browsers (Chrome, Brave, Edge, Opera, Opera GX) on the machine running the CLI...
Advisory
MAL-2026-6575
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @ibrahim1337/baksen (npm)
Details
Package @ibrahim1337/baksen ships a Windows x64 infostealer toolkit that targets Chromium-family browsers (Chrome, Brave, Edge, Opera, Opera GX) on the machine running the CLI. The JS layer enumerates browser profile directories and reads the 'Local State', 'Cookies', and 'Login Data' SQLite databases, executing queries such as `SELECT origin_url, username_value, password_value FROM logins` and `SELECT host_key, name, encrypted_value,... FROM cookies`. It extracts the AES master key and the Chrome v20 `os_crypt.app_bound_encrypted_key` from Local State, then decrypts cookies and saved passwords with AES-256-GCM and writes the plaintext credentials to local `_cookies/` and `_passwords/` directories. A bundled opaque Windows native addon `build/Release/debugelevator.node` (declared in package.json `files`, `os: win32`, `cpu: x64`) performs the App-Bound key elevation — the documented technique used by recent Chromium infostealers to bypass Chrome v20 encryption. Strings inside the bundle include 'DebugElevator - scanning all detected browsers', 'Launching... browser(s) in parallel for App-Bound key', and 'APP-KEY'. A license module fetches an allowlist of valid keys from `https://raw.githubusercontent.com/tabo1337/SaatPCBKod/refs/heads/main/key.txt` (an account unrelated to the publisher) and caches the result at `~/.baksen_cache`, indicating a sold/distributed hacktool model. Package metadata is placeholder ('hadiyapic' description, `github.com/yourusername/baksen` repository URL) with no legitimate provenance. Installing and running this package on a Windows host with any of the listed browsers results in extraction of saved passwords and session cookies — credential theft against the machine running it.
Decision reason
OpenSSF Malicious Packages via OSV confirms @ibrahim1337/baksen@2.0.6 as malicious (MAL-2026-6575): Malicious code in @ibrahim1337/baksen (npm)
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory