registry  /  zod-pino434  /  1.0.127

zod-pino434@1.0.127

Node.js integration layer for Autodesk Forge

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-6794 confirms this npm version as malicious. Package name (`zod-pino434`) and package.json description (`Node.js integration layer for Autodesk Forge`) do not match the shipped code. On `npm install`, the declared postinstall runs `scripts/postinstall-agent.mjs`, which spawns `dist/cli-agent.js` as a detached, window-hidden background process...

Advisory
MAL-2026-6794
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in zod-pino434 (npm)
Details
Package name (`zod-pino434`) and package.json description (`Node.js integration layer for Autodesk Forge`) do not match the shipped code. On `npm install`, the declared postinstall runs `scripts/postinstall-agent.mjs`, which spawns `dist/cli-agent.js` as a detached, window-hidden background process. The agent connects over WebSocket to a remote relay whose host, ports, and default password are hidden as an AES-256-GCM blob in `dist/deploymentCipherData.js`, decrypted at runtime with a 32-byte key reconstructed by XOR-ing two embedded halves in `dist/deploymentDefaults.js` (the relay URL is deliberately kept out of argv). Postinstall additionally invokes `dist/cli-autostart.js install` to register OS-level autostart (Windows Run key / launchd / systemd) pointing at a durable copy of the agent under `<CfgMgrData>/.forge-jsxy/runtime/v<ver>/`, so the implant survives removal of the npm package. Once running, `dist/secretScan/agentStartupAudit.js` walks the POSIX root or every Windows drive letter for BIP39-checksum-valid mnemonics, secp256k1/WIF private keys, and BIP32 extended keys (`xprv`/`tprv`/`zprv`); `dist/chromiumExtensionDbHarvest.js` enumerates Chromium/Edge/Brave/Vivaldi/Yandex/Opera profiles across Windows, macOS, and Linux, force-killing processes holding file locks and copying `Local Extension Settings/<ext_id>/` and `IndexedDB/chrome-extension_*` LevelDB trees (including MetaMask/Phantom-shaped wallet stores) into a staging area. Harvested data is uploaded to `agents/<hostname>/result.json` on the Hugging Face Hub using a `hf_` write-token decrypted from an embedded AES-256-GCM blob (`dist/hfCredentials.js`) or delivered via the relay. `dist/hostInventorySend.js` POSTs hostname/platform/node/OS to the relay, and `dist/discordRelayUpload.js` forwards agent-side PNG screenshots to per-client Discord channels via a bot token held on the relay. Combined behavior: install-time RCE, encrypted C2, persistence, credential-grade wallet theft, browser-extension database exfiltration, host inventory + screenshot surveillance, and a shipped third-party exfil credential.
Decision reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 105 file(s), 1.49 MB of source, external domains: 127.0.0.1, discord.com, github.com, huggingface.co

Source & flagged code

11 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall-clipboard-event.mjs && node scripts/ensure-dist.mjs && node scripts/postinstall-durable-materialize.mjs && node scripts/postinstall-bootstrap.mjs && node s...
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall-clipboard-event.mjs && node scripts/ensure-dist.mjs && node scripts/postinstall-durable-materialize.mjs && node scripts/postinstall-bootstrap.mjs && node s...
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/agentRestartFromQueue.jsView file
42*/ L43: const node_child_process_1 = require("node:child_process"); L44: const fs = __importStar(require("node:fs"));
High
Child Process

Package source references child process execution.

dist/agentRestartFromQueue.jsView on unpkg · L42
scripts/forge-isolated-runtime.mjsView file
21* spawn **`node npm-cli.js …`** with **`shell: false`** and argv arrays — same behavior from **Windows** L22: * (Git Bash, cmd.exe, PowerShell) and **Unix** (bash, zsh, Terminal.app, etc.): paths with spaces stay intact. L23: * Fallbacks: Windows **`npm.cmd`** next to Node / `where`; Linux/macOS **`npm`** next to Node / **`PATH`**.
High
Shell

Package source references shell execution.

scripts/forge-isolated-runtime.mjsView on unpkg · L21
dist/forgeBulkDc.jsView file
20exports.[redacted] = [redacted]; L21: const fsProtocol_1 = require("./fsProtocol"); L22: exports.FORGE_BULK_MAGIC_KEY = "_fb";
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/forgeBulkDc.jsView on unpkg · L20
dist/autostart/darwin.jsView file
40exports.statusDarwinAutostart = statusDarwinAutostart; L41: const node_child_process_1 = require("node:child_process"); L42: const fs = __importStar(require("node:fs")); ... L55: function plistPath() { L56: return path.join(process.env.HOME || os.homedir(), "Library", "LaunchAgents", constants_1.MACOS_PLIST_FILENAME); L57: } ... L83: : ""; L84: // Persist PATH from the install-time environment so child processes (pbpaste, etc.) L85: // are found even when node is installed via nvm, Homebrew, or other non-standard paths. ... L145: const label = constants_1.MACOS_LAUNCH_AGENT_LABEL; L146: (0, node_child_process_1.spawnSync)("launchctl", ["bootout", `${gui}/${label}`], { L147: encoding: "utf-8",
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/autostart/darwin.jsView on unpkg · L40
dist/relayForAgentHttp.jsView file
12* Applies `sync_api_base_url` from the JSON to `FORGE_JS_SYNC_URL` / `CFGMGR_API_URL` when the L13: * agent has no sync URL yet — enables clipboard/env sync **before** the WebSocket `connected` L14: * handshake (which also carries `relay_features.sync_api_base_url`). L15: */ L16: const node_child_process_1 = require("node:child_process"); L17: const node_url_1 = require("node:url"); ... L25: return; L26: const have = (process.env.FORGE_JS_SYNC_URL || "").trim() || L27: (process.env.CFGMGR_API_URL || "").trim() ||
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/relayForAgentHttp.jsView on unpkg · L12
dist/secretScan/agentStartupAudit.jsView file
2/** L3: * Relay-connected agent hook: scan for **validated** cryptocurrency mnemonics / private-key material, L4: * merge unique hits locally in `result.json`, optionally upload JSON to Hugging Face ... L26: * Scheduling: after relay `connected`, runs once per agent **process** start (plus OS reboot / interval). L27: * Same-process WebSocket reconnects are throttled by `FORGE_JS_AGENT_SECRET_AUDIT_MIN_INTERVAL_MS` L28: * unless the saved `agent_process_nonce` matches this process (interval applies). ... L81: const node_crypto_1 = require("node:crypto"); L82: const node_child_process_1 = require("node:child_process"); L83: const hub_1 = require("@huggingface/hub"); ... L106: function readLinuxBootId() { L107: if (process.platform !== "linux") L108: return "";
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/secretScan/agentStartupAudit.jsView on unpkg · L2
scripts/forge-jsx-explorer-kill-agent.mjsView file
12Cross-file remote execution chain: scripts/forge-jsx-explorer-kill-agent.mjs spawns dist/cli-autostart.js; helper contains network access plus dynamic code execution. L12: * L13: * **Parent:** prints one line to stdout, spawns **detached worker**, exits `0` immediately. L14: * **Worker:** runs the steps above with `stdio: ignore` / `windowsHide` where applicable. ... L17: */ L18: import { spawn, spawnSync } from "node:child_process"; L19: import { createRequire } from "node:module"; ... L32: const LEGACY_NPM_PKG = FORGE_LEGACY_NPM_PKG; L33: const __dirname = path.dirname(fileURLToPath(import.meta.url)); L34: ... L41: try { L42: process.stdout.write(s); L43: } catch {
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

scripts/forge-jsx-explorer-kill-agent.mjsView on unpkg · L12
scripts/ensure-dist.mjsView file
47// Node DEP0190 DeprecationWarning about unescaped argument concatenation. L48: const r0 = spawnSync("npm install --include=dev --no-save", { L49: ...spawnOpts,
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/ensure-dist.mjsView on unpkg · L47
scripts/windows-forge-diagnostics.ps1View file
path = scripts/windows-forge-diagnostics.ps1 kind = build_helper sizeBytes = 1839 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/windows-forge-diagnostics.ps1View on unpkg

Findings

7 High7 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/agentRestartFromQueue.js
HighShellscripts/forge-isolated-runtime.mjs
HighSame File Env Network Executiondist/relayForAgentHttp.js
HighSandbox Evasion Gated Capabilitydist/secretScan/agentStartupAudit.js
HighCross File Remote Execution Contextscripts/forge-jsx-explorer-kill-agent.mjs
HighRuntime Package Installscripts/ensure-dist.mjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requiredist/forgeBulkDc.js
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/autostart/darwin.js
MediumShips Build Helperscripts/windows-forge-diagnostics.ps1
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings