Supply-chain threat intelligence
Risk score
92
Indexed incident for @ibrahim1337/baksen (npm).
Package @ibrahim1337/baksen ships a Windows x64 infostealer toolkit that targets Chromium-family browsers (Chrome, Brave, Edge, Opera, Opera GX) on the machine running the CLI. The JS layer enumerates browser profile directories and reads the 'Local State', 'Cookies', and 'Login Data' SQLite databases, executing queries such as SELECT origin_url, username_value, password_value FROM logins and SELECT host_key, name, encrypted_value,... FROM cookies. It extracts the AES master key and the Chrome v20 os_crypt.app_bound_encrypted_key from Local State, then decrypts cookies and saved passwords with AES-256-GCM and writes the plaintext credentials to local _cookies/ and _passwords/ directories. A bundled opaque Windows native addon build/Release/debugelevator.node (declared in package.json files, os: win32, cpu: x64) performs the App-Bound key elevation — the documented technique used by recent Chromium infostealers to bypass Chrome v20 encryption. Strings inside the bundle include 'DebugElevator - scanning all detected browsers', 'Launching... browser(s) in parallel for App-Bound key', and 'APP-KEY'. A license module fetches an allowlist of valid keys from https://raw.githubusercontent.com/tabo1337/SaatPCBKod/refs/heads/main/key.txt (an account unrelated to the publisher) and caches the result at ~/.baksen_cache, indicating a sold/distributed hacktool model. Package metadata is placeholder ('hadiyapic' description, github.com/yourusername/baksen repository URL) with no legitimate provenance. Installing and running this package on a Windows host with any of the listed browsers results in extraction of saved passwords and session cookies — credential theft against the machine running it.
Affected versions
Indicators
Timeline