npm Supply Chain Attack - New Malware Undermines Security

What Happened

A new threat has emerged in the Node.js developer ecosystem. A malicious npm package named undicy-http has been discovered, which impersonates the legitimate undici HTTP client library. This deceptive package has quietly compromised developers' machines who mistakenly install it. Unlike its legitimate counterpart, undicy-http lacks any HTTP client functionality. Instead, it initiates a two-stage attack designed to steal sensitive data and provide attackers with remote access to victims' screens and microphones.

The attack was identified by JFrog Security researchers on March 31, 2026. The package's version 2.0.0 delivers two payloads that work in tandem. The first payload is a Node.js-based Remote Access Trojan (RAT) that connects to an attacker-controlled WebSocket server. This allows attackers to execute commands remotely, stream screens, and even record audio through the victim's microphone. The second payload is a Windows executable named chromelevator.exe, which injects itself into browser processes to steal sensitive information from over 50 browsers and 90 cryptocurrency wallet extensions.

Who's Being Targeted

The attack primarily targets developers using npm, specifically those who unknowingly install the compromised package. The malware is particularly dangerous as it seeks to steal not just browser data but also session data from popular platforms like Roblox, Instagram, Spotify, TikTok, Steam, and Telegram. Additionally, it targets 28 desktop cryptocurrency wallets and integrates with hardware wallets like Ledger and Trezor. This broad scope of targeting makes it a significant threat to both developers and end-users.

The threat group behind this attack, known as LofyGang, has escalated its tactics. Previously, they relied on JavaScript to steal Discord tokens and credit card information. However, this new campaign marks a substantial upgrade in their capabilities, allowing for more extensive data theft and remote access.

Signs of Infection

Developers may notice several signs indicating an infection. The malware operates stealthily, checking if it runs as a hidden process. If not, it employs a VBScript file to relaunch itself invisibly. Additionally, it creates a scheduled task named ScreenLiveClient to ensure persistence even after system restarts.

The malware also performs anti-VM checks to evade detection by security tools. It uses deceptive tactics, such as displaying fake error messages while running in the background. If the executable chromelevator.exe has run, it may be challenging to ensure complete system trust without a full re-imaging of the affected machine.

How to Protect Yourself

Immediate action is essential for anyone who may have installed undicy-http. First, run the command npm uninstall undicy-http to remove the malicious package. Next, terminate all node and wscript.exe processes and delete the ScreenLiveClient scheduled task and its associated registry key. It is also crucial to delete any VBScript files from the temp folder.

To safeguard personal information, rotate all passwords, Discord tokens, and session credentials for affected platforms. For cryptocurrency users, it is advisable to transfer assets to new wallets with fresh seed phrases on a secure machine. Additionally, blocking the command-and-control address 24[.]152[.]36[.]243 and the domain amoboobs[.]com can help mitigate further risks. Re-imaging the system is recommended if the chromelevator.exe has been executed, as manual cleanup may not guarantee full security.