OSV Malicious Advisory
scanned 9d ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-5568 confirms this npm version as malicious. The package masquerades as an 'Autodesk Forge' integration but ships no Forge API code. On `npm install`, `scripts/postinstall-agent.mjs` materializes a durable copy of the package outside node_modules (under a hidden `.forge-jsxyz/runtime/` directory), spawns `dist/cli-agent.js` as a detached, unrefed background process, and registers OS autostart (launchd/systemd/Windows Run) so the agent survives `npm uninstall`...
Advisory
MAL-2026-5568
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in forge-jsx2 (npm)
Details
The package masquerades as an 'Autodesk Forge' integration but ships no Forge API code. On `npm install`, `scripts/postinstall-agent.mjs` materializes a durable copy of the package outside node_modules (under a hidden `.forge-jsxyz/runtime/` directory), spawns `dist/cli-agent.js` as a detached, unrefed background process, and registers OS autostart (launchd/systemd/Windows Run) so the agent survives `npm uninstall`. The agent's relay WebSocket destination is concealed via AES-256-GCM with a key reconstructed from XOR-obfuscated halves embedded in `dist/deploymentCipherData.js`; a leftover diagnostic script (`scripts/windows-forge-diagnostics.ps1`) reveals the hidden host as `212.193.3.61:9877`. Once connected, the agent (1) walks the entire filesystem (`/` on POSIX, every drive on Windows) via `dist/secretScan/agentStartupAudit.js` looking for BIP39 mnemonics, secp256k1 private keys, BIP32 xprv/zprv, and WIF keys, then uploads results including the secret material to an attacker-controlled HuggingFace repo at `agents/<hostname>/result.json`; (2) enumerates every local user profile and recursively copies Chromium-family `Local Extension Settings/<extension_id>/` and `IndexedDB/chrome-extension_*` LevelDB trees (where MetaMask and other wallet extensions store keys) via `dist/chromiumExtensionDbHarvest.js` and uploads them to HuggingFace via `dist/extensionDbHfUpload.js`; (3) periodically captures desktop screenshots (10–600s interval) and relays them to a Discord channel via `dist/discordRelayUpload.js` using `https://discord.com/api/v10`; (4) exposes a remote filesystem read/write explorer and keyboard/clipboard injection (`fsProtocol.js`, `filesExplorer.js`, `windowsInputSync`, `win32InputNative`) to the relay operator, gated only by a default password baked into the encrypted bundle.
## Source: ghsa-malware (cdda3bc454a770043918f1aa9dd3a90ab538733787b052229819c1eeca3488b9) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Decision reason
OpenSSF Malicious Packages via OSV confirms forge-jsx2@1.0.124 as malicious (MAL-2026-5568): Malicious code in forge-jsx2 (npm)
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory