Supply-chain threat intelligence

Incident detail

criticalnpm·credential theft·osv

Malicious code in log-taker1 (npm)

log-taker1

Risk score

92

AI summary

Indexed incident for log-taker1 (npm).

Description

Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. log-taker1 embeds a full infostealer (~2800 lines) directly in index.js, executed at install time via postinstall: node test.js. The payload harvests cryptocurrency wallet vaults (MetaMask, Phantom, Solflare, OKX, Coinbase, TrustWallet, Backpack, TronLink), browser cookies and credentials, SSH keys, AWS credentials, .npmrc tokens, Docker config, shell history, and password manager databases, exfiltrating all data to the C2 domain log-taker.store. The C2 is shared with the rohmat2527 maintainer account.

Technical details

Affected versions

>=0

Indicators

  • affected version>=075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents