Threat Grimoire

Encrypts all .js, .ts, .json, and .env files in the project directory using AES-256, replacing them with ransom notes containing payment instructions.

Downloads and stages a ransomware payload that encrypts project files and source code, demanding cryptocurrency payment for the decryption key.

Exploits a buffer overflow in a native addon to corrupt adjacent memory, enabling arbitrary code execution within the Node.js process.

Silently collects environment variables, SSH keys, and API tokens, then transmits them to registry-mirror.xyz via encrypted HTTPS POST requests during package installation.

Uses a decentralized P2P protocol to receive commands from a botnet controller, making takedown of the C2 infrastructure significantly more difficult.

Uses steganographic techniques to embed executable code within PNG image assets included in the package, extracted and executed during module initialization.

Installs a transparent input interceptor that logs all keystrokes in Node.js REPL sessions and interactive CLI tools to a hidden buffer.

Compromised maintainer account used to inject malicious postinstall script in version 5.8.9, affecting all downstream dependents automatically.

Encodes stolen data in DNS query subdomains, using a custom DNS server at cloud-sync.net to reassemble exfiltrated information from query logs.

Implements a full bidirectional communication channel over DNS, capable of transferring files and receiving commands through TXT and CNAME record responses.

Publishes a public package with the same name as an internal corporate package, exploiting package manager resolution to inject malicious code.

Registers common misspellings of lodash (missing hyphen, swapped letters, added suffix) with identical functionality plus embedded credential harvesting.

Monitors file system changes and periodically uploads sensitive configuration files (.env, .npmrc, .docker/config.json) to a remote collection server at node-updates.com.

Legitimate package hijacked through expired domain takeover of the original author email, allowing password reset and npm publish access.

Manipulates the express-session middleware to reuse predictable session IDs, enabling session prediction and unauthorized access to user accounts.

Downloads and executes a WebAssembly-based Monero miner during idle CPU cycles, communicating with mining pool at evil-cdn.xyz via Stratum protocol.

Uses a decentralized P2P protocol to receive commands from a botnet controller, making takedown of the C2 infrastructure significantly more difficult.

Registers common misspellings of cors (missing hyphen, swapped letters, added suffix) with identical functionality plus embedded credential harvesting.

Manipulates the express-session middleware to reuse predictable session IDs, enabling session prediction and unauthorized access to user accounts.

Targets private registry fallback behavior to substitute legitimate internal packages with malicious public versions during automated builds.