Malicious npm Package express-session-js Drops Full RAT Payload
Contents
Mini Shai Hulud and SAP Compromise
Four SAP npm packages published on April 29, 2026 contain a two-stage credential-stealing payload targeting GitHub tokens, AWS keys, and CI/CD pipelines. The packages share SAP-affiliated...
[email protected]
is a malicious npm package that typosquats the popular express-session
middleware (60M+ weekly downloads). It contains a dropper that fetches a ~93KB obfuscated payload from a paste service and executes it dynamically using Function.constructor
on every require()
. Static deobfuscation of the stage-2 payload reveals a full Remote Access Trojan (RAT) and information stealer that connects to 216[.]126[.]237[.]71
via Socket.IO, with capabilities including browser credential theft, crypto wallet extraction, screenshot capture, clipboard monitoring, keylogging, and remote mouse/keyboard control. Multiple indicators link this package to the Contagious Interview campaign, a DPRK/Lazarus operation that has published 338+ malicious npm packages.
Impact:
Indicators of Compromise (IoC):
[email protected]
on npmhxxps://jsonkeeper[.]com/b/YY8VI
216[.]126[.]237[.]71
4801
(socket.io + API), 4806
(file upload), 4809
(browser DB sync)a36adbc35e69b22acbf9f834a0deb286
~/.npm-compiler/<process.title>
~/.npm-cache/__tmp__/
socket.io-client
, screenshot-desktop
, clipboardy
, @nut-tree-fork/nut-js
judebelingham <viktoryavorovskiy@ukr[.]net>
b5cca27ca1d792bd8c46b83fccfa4e5ba38916eb78877a19cbb39392ce98cc39
express-session-js
was published on April 1, 2026 at 19:58 UTC by …
Four SAP npm packages published on April 29, 2026 contain a two-stage credential-stealing payload targeting GitHub tokens, AWS keys, and CI/CD pipelines. The packages share SAP-affiliated...
[email protected]
is a malicious npm package that typosquats the popular express-session
middleware (60M+ weekly downloads). It contains a dropper that fetches a ~93KB obfuscated payload from a paste service and executes it dynamically using Function.constructor
on every require()
. Static deobfuscation of the stage-2 payload reveals a full Remote Access Trojan (RAT) and information stealer that connects to 216[.]126[.]237[.]71
via Socket.IO, with capabilities including browser credential theft, crypto wallet extraction, screenshot capture, clipboard monitoring, keylogging, and remote mouse/keyboard control. Multiple indicators link this package to the Contagious Interview campaign, a DPRK/Lazarus operation that has published 338+ malicious npm packages.
Impact:
Indicators of Compromise (IoC):
[email protected]
on npmhxxps://jsonkeeper[.]com/b/YY8VI
216[.]126[.]237[.]71
4801
(socket.io + API), 4806
(file upload), 4809
(browser DB sync)a36adbc35e69b22acbf9f834a0deb286
~/.npm-compiler/<process.title>
~/.npm-cache/__tmp__/
socket.io-client
, screenshot-desktop
, clipboardy
, @nut-tree-fork/nut-js
judebelingham <viktoryavorovskiy@ukr[.]net>
b5cca27ca1d792bd8c46b83fccfa4e5ba38916eb78877a19cbb39392ce98cc39
express-session-js
was published on April 1, 2026 at 19:58 UTC by …
IoC
http://216.126.237.71:4809/upload
http://jsonkeeper.com/b/YY8VI
https://jsonkeeper.com/b/YY8VI
http://ukr.net
http://216.126.237.71
216.126.229.166
216.126.227.239
216.126.237.71
[email protected]
[email protected]
[email protected]
b5cca27ca1d792bd8c46b83fccfa4e5ba38916eb78877a19cbb39392ce98cc39
a36adbc35e69b22acbf9f834a0deb286
http://jsonkeeper.com/b/YY8VI
https://jsonkeeper.com/b/YY8VI
http://ukr.net
http://216.126.237.71
216.126.229.166
216.126.227.239
216.126.237.71
[email protected]
[email protected]
[email protected]
b5cca27ca1d792bd8c46b83fccfa4e5ba38916eb78877a19cbb39392ce98cc39
a36adbc35e69b22acbf9f834a0deb286