22 Versions of npm Malware Steal Crypto and Credentials

npm Package Delivers 22 Malicious Versions in 22 Days

According to recent reports, a malicious npm package named forge-jsxy has been actively stealing cryptocurrency wallet keys, browser credentials, and other sensitive developer data. The package was published to the npm registry on May 4, 2026, and rapidly pushed 22 versions over the next 22 days, marking it as one of the most aggressively developed pieces of malware observed in the ecosystem.

Cross-Platform Threat

The malware operates across Windows, macOS, and Linux systems, making it a versatile threat for developers regardless of their operating system. Once installed, it deploys a remote access trojan (RAT) that establishes a persistent backdoor, allowing attackers to maintain long-term access to compromised systems.

Data Theft Capabilities

Forge-jsxy specifically targets cryptocurrency wallet files and browser-stored credentials. By exfiltrating these assets, attackers can drain digital wallets and gain unauthorized access to online accounts. The package's rapid version updates suggest an active development effort to evade detection and improve its stealth capabilities.

Implications for Developers

This incident highlights the ongoing risk of supply chain attacks in the open-source ecosystem. Developers are advised to carefully vet packages before installation, monitor for suspicious updates, and use security tools that can detect anomalous behavior in dependencies. The npm registry has been notified, but users should check their projects for any reference to forge-jsxy and remove it immediately.