MAL-2026-2884

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/forge-jsx/MAL-2026-2884.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-2884

Published

2026-04-15T18:37:07Z

Modified

2026-04-20T01:49:41.162027Z

Summary

Malicious code in forge-jsx (npm)

Details

forge-jsx is a malicious npm package that impersonates an Autodesk Forge SDK. It was published as a fully-formed RAT from its first version on April 7, 2026. Installing the package on any non-CI machine deploys a persistent background agent that captures all keystrokes, monitors clipboard content, recursively scans the filesystem for .env files, reads shell history, and opens a WebSocket-based remote filesystem backdoor. All stolen data flows to 204.10.194.247. Persistence survives reboots via systemd (Linux), LaunchAgent (macOS), and Task Scheduler (Windows).

Database specific

{
    "malicious-packages-origins": null
}

References

https://safedep.io/malicious-forge-jsx-npm-rat/

Credits

- SafeDep - FINDER
- - https://safedep.io

Affected packages

npm / forge-jsx

Package

Name: forge-jsx; View open source insights on deps.dev
Purl: pkg:npm/forge-jsx

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/forge-jsx/MAL-2026-2884.json"