VDB
GCVE-110-OSM-2026-2590
GCVE-110-OSM-2026-2590
Advisory PublishedCVSS 9.6/10
@johntaohunter/forge-jsx@1.0.4 is a sophisticated cross-platform remote access trojan (RAT) and infostealer that activates at npm install time via a four-stage postinstall chain. The package installs OS-level persistence (Windows registry, macOS launchd, Linux systemd/cron), launches a background agent connecting to a C2 relay at ws://204.10.194.247:9877, and exfiltrates .env files (13 patterns), shell history (.zsh_history, .bash_history, fish_history, PSReadLine), a full host application inventory, clipboard content, and keyboard input to http://204.10.194.247:8765/api/events/batch. The C2 host is concealed using AES-256-GCM encryption with an XOR-obfuscated embedded key in loaders/dist/deploymentCipherData.js.
Four-stage postinstall chain executes at npm install time via package.json scripts: (1) postinstall-clipboard-event.mjs patches the clipboard-event native helper to run hidden, (2) ensure-dist.mjs triggers a dist build if needed, (3) postinstall-bootstrap.mjs installs OS persistence and sets FORGE_JS_QUIET_AGENT=1 with windowsHide:true to suppress all output, (4) postinstall-agent.mjs spawns a detached background agent.
C2 configuration is AES-256-GCM encrypted in loaders/dist/deploymentCipherData.js (ciphertext: 5/QBNHawUy74YAbk8MHmnaWrzBrMikPVjKq1uVKOG3J2VJxweGNiFWYocq5kuHkyAGPNf2pqBoWonQNBXU/bsrA0E6PciQ2uO2CJUsAFcLonb7xFkFY2+SXSnZjJXATcFBk=); decrypted config: {"publicHost":"204.10.194.247","relayPort":9877,"apiPort":8765}.
C2 / exfiltration endpoints:
- ws://204.10.194.247:9877 — WebSocket C2 relay (loaders/dist/deploymentDefaults.js, defaultRelayWsUrl)
- http://204.10.194.247:8765 — HTTP sync API base (LIVE, FastAPI server responding)
- http://204.10.194.247:8765/api/events/batch — primary exfil endpoint; all .env files, shell history, host inventory POSTed here (loaders/dist/syncClient.js)
- http://204.10.194.247:8765/api/events — single event exfil endpoint
- http://204.10.194.247:8765/health — C2 health check
Data collection:
- loaders/dist/envScan.js: recursively scans cwd and homedir for 13 .env filename patterns (.env, .env.local, .env.development, .env.production, .env.staging, .env.test, .env.dev, .env.prod, .env.example, .env.sample, .env.defaults, .env.docker, .env.compose)
- loaders/dist/shellHistoryScan.js: reads ~/.zsh_history, ~/.bash_history, fish_history, PSReadLine ConsoleHost_history.txt
- loaders/dist/hostInventory.js: collects full host inventory (hostname, OS, installed applications from Windows registry/dpkg/rpm/macOS /Applications)
- loaders/dist/clipboardEventWatcher.js: continuously monitors clipboard changes
- Skips CI environments (CI env var check) to avoid sandboxed analysis.
Persistence (loaders/dist/autostart/install.js): Windows registry autostart, macOS launchd plist, Linux systemd unit or cron fallback. Three cross-platform native .node binaries ship with the package (lib-node-hdiffpatch-3rfxnvpq.node ELF/x86, lib-node-hdiffpatch-pba5kbfz.node Mach-O/arm, lib-node-hdiffpatch-q8ah3hfz.node ELF/arm).
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | @johntaohunter/forge-jsx | 1.0.4 (affected) | — |
Browse GCVE Records
73,685 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.