New npm Supply Chain Attack Uses undicy-http to Deploy Screen-Streaming RAT and Browser Injector
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A malicious npm package named\u00a0 The package impersonates\u00a0 Instead, it launches a two-stage attack capable of stealing browser credentials, hijacking active sessions, and giving attackers live remote access to a victim\u2019s screen, microphone, and webcam.<\/a><\/p>\n The package (version 2.0.0) delivers two payloads that work in parallel. The first is a Node.js-based Remote Access Trojan that connects to an attacker-controlled WebSocket server, enabling remote shell execution, screen streaming, file uploads, and microphone and webcam recording. <\/p>\n The second is a native Windows executable called\u00a0 JFrog Security researchers identified the package<\/a> on March 31, 2026, attributing it to the threat group known as LofyGang. The package\u2019s author field reads\u00a0 Hardcoded strings reading\u00a0 This campaign marks a significant step up from previous LofyGang attacks, which used only JavaScript to steal Discord tokens and credit card data.<\/a><\/p>\n The attack\u2019s reach goes beyond browser data. The malware targets session data from six platforms \u2014 Roblox, Instagram, Spotify, TikTok, Steam, and Telegram. <\/p>\n It also goes after 28 desktop cryptocurrency wallets<\/a>, six hardware wallet integrations including Ledger and Trezor, and over 90 browser wallet extensions. <\/p>\n Stolen data moves through two channels simultaneously \u2014 a Discord webhook and a Telegram bot \u2014 with large files first uploaded to gofile.io or catbox.moe before download links reach the attacker.<\/a><\/p>\n Notably,\u00a0 Since December 2025, that rule has matched over 1,750 malicious samples, with new matches recorded through March 2026.<\/a><\/p>\n When a developer installs\u00a0 If not, it writes a VBScript file to the system\u2019s temp folder and re-launches itself using\u00a0 The malware then establishes three persistence mechanisms to survive system restarts. It first creates a scheduled task named\u00a0 If that step fails, it falls back to writing a registry run key. As a final option, it places a copy of itself in the Windows Startup folder. The VBScript launcher file is then hidden using\u00a0 To avoid security tools<\/a>, the malware runs ten anti-VM checks targeting MAC addresses, BIOS strings, disk names, and active processes to detect sandbox environments such as ANY.RUN, Cuckoo, and Triage. <\/p>\n It also looks for analysis tools like Wireshark, IDA, and Ghidra. To deceive the victim, it pops up a fake missing-DLL Windows error dialog while the payload continues running silently in the background. <\/p>\n The native binary\u00a0 Developers should immediately run\u00a0 Delete the VBS files from the temp folder and reinstall all Discord clients to clear injected code. Rotate all passwords, Discord tokens<\/a>, and session credentials for Roblox, Instagram, Spotify, TikTok, Steam, and Telegram. <\/p>\n Move cryptocurrency to new wallets with fresh seed phrases on a clean machine, and block the C2 address\u00a0 Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post New npm Supply Chain Attack Uses undicy-http to Deploy Screen-Streaming RAT and Browser Injector<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nundicy-http<\/code>\u00a0has surfaced inside the Node.js developer ecosystem, quietly compromising machines of developers who mistakenly install it. <\/p>\nundici<\/code>, the official HTTP client library bundled with Node.js that handles millions of weekly downloads. Despite sharing a near-identical name,\u00a0undicy-http<\/code>\u00a0contains zero HTTP client functionality. <\/p>\nchromelevator.exe<\/code>, which injects into browser processes at the operating system level to steal passwords, cookies, credit card numbers, IBANs, and session tokens from over 50 browsers and 90 cryptocurrency wallet extensions.<\/a><\/p>\nConsoleLofy<\/code>, a direct match to LofyGang\u2019s documented alias dictionary. <\/p>\n\"Lofygang Started\"<\/code>\u00a0and Portuguese-language log messages throughout the code confirm the group\u2019s Brazilian roots. <\/p>\nchromelevator.exe<\/code>\u00a0matches a YARA detection rule named\u00a0MAL_Browser_Stealer_Dec25_2<\/code>, associated with the broader GlassWorm Campaign attack framework. <\/p>\nInfection Chain: How the Malware Hides and Persists<\/strong><\/h2>\n
undicy-http<\/code>, the main script (index.js<\/code>) checks immediately whether it is running as a hidden process. <\/p>\nwscript.exe<\/code>\u00a0with a hidden window, leaving no visible trace of execution.<\/p>\nScreenLiveClient<\/code>\u00a0that launches at login with the highest available system privileges. <\/p>\nattrib +h +s<\/code>\u00a0to avoid easy detection.\u00a0<\/p>\nchromelevator.exe<\/code>\u00a0goes even further by using direct syscalls that sidestep standard\u00a0ntdll.dll<\/code>\u00a0APIs, bypassing EDR and antivirus hooks at the user-mode level.\u00a0<\/p>\nnpm uninstall undicy-http<\/code>, end all\u00a0node<\/code>\u00a0and\u00a0wscript.exe<\/code>\u00a0processes, and remove the\u00a0ScreenLiveClient<\/code>\u00a0scheduled task and its registry key. <\/p>\n24[.]152[.]36[.]243<\/code>\u00a0and domain\u00a0amoboobs[.]com<\/code>. Re-imaging the system is advised if\u00a0chromelevator.exe<\/code>\u00a0ran, as manual cleanup alone cannot guarantee full system trust.<\/p>\n