Malicious npm package undicy-http impersonates undici and deploys a Windows-focused RAT plus browser stealer

A new npm supply chain attack is targeting developers who mistype undici and install undicy-http instead. JFrog says the package, published as [email protected], contains no real HTTP client code and instead delivers two malicious payloads, including a Node.js remote access trojan and a native Windows binary called chromelevator.exe.

The package is notable because it goes beyond password theft. JFrog says the Node.js layer can stream the victim’s screen, record audio, enumerate webcams, upload files, and run shell commands through a WebSocket control panel. The second-stage Windows binary injects into browser processes and steals credentials, cookies, payment data, and wallet-related data from a long list of browsers and extensions.

Researchers attribute the package to LofyGang based on multiple indicators inside the code, including the author name ConsoleLofy, hardcoded Lofygang strings, Telegram references, and Portuguese-language log messages. That attribution comes from JFrog’s analysis, so it should be presented as JFrog’s assessment rather than an independently confirmed legal attribution.

What makes this package different

This is not a typical postinstall case. JFrog says undicy-http does not rely on a preinstall or postinstall trigger. Instead, the malicious behavior starts when the package binary gets invoked through its bin entry that points directly to index.js.

That detail matters because it changes how defenders should describe the risk. Saying that every install automatically fires the payload overstates the case. The more accurate wording is that the malicious package executes when its packaged binary is run, which still makes it highly dangerous in real-world developer workflows.

JFrog also describes this package as a major escalation from earlier LofyGang activity. Previous campaigns centered on JavaScript-based theft, while this one adds a compiled native Windows injector, persistence, anti-analysis logic, and multiple exfiltration paths.

How the malware works

The Node.js component first relaunches itself as a hidden process using VBScript and wscript.exe. After that, it connects to a WebSocket server at 24[.]152[.]36[.]243:3000, registers as a client, and can receive commands for shell execution, file upload, screen streaming, microphone recording, webcam control, and audio playback through the victim machine.

JFrog says the malware then establishes persistence on Windows through up to three fallback methods. It first tries to create a scheduled task named ScreenLiveClient, then falls back to a Run registry key, and finally uses the Startup folder if needed. It also hides its VBS launcher files to avoid casual discovery.

The second payload raises the stakes further. The package downloads chromelevator.exe from amoboobs[.]com, drops it either in a Windows Defender exclusion path or under %TEMP%\WinSvcHost, and then executes it using several fallback methods. JFrog says the binary uses direct syscalls for process injection, which helps it sidestep user-mode hooks used by EDR and antivirus tools.

What data the attackers wanted

According to JFrog, the stealer targets more than 50 browser families and over 90 crypto wallet extensions. It also goes after 28 desktop wallets, several hardware wallet integrations, and session data from services including Roblox, Instagram, Spotify, TikTok, Steam, and Telegram.

Large files do not move out through one channel alone. JFrog says the malware uses both a Discord webhook and a Telegram bot for exfiltration, while bulk data first gets uploaded to services such as gofile.io or catbox.moe and then forwarded as links to the operator.

The package also includes anti-VM checks, anti-debugging tricks, and a fake missing-DLL pop-up to mislead victims into thinking the program failed. That combination makes the attack more mature than the average typo-squatted npm package.

Key facts at a glance

What defenders should do now

JFrog recommends removing the package immediately, killing related node and wscript.exe processes, deleting persistence artifacts, and blocking the listed command-and-control infrastructure. The report also calls for reinstalling Discord clients because the malware may tamper with local Discord components.

Credential rotation should not stop at browser passwords. JFrog says responders should revoke sessions and rotate tokens for Discord, social platforms, gaming accounts, and wallets that may have been exposed on the infected machine. If crypto wallets were present, the safest move is to migrate assets to new wallets created on a clean system.

The most serious warning in the report concerns trust restoration. JFrog says organizations should re-image the device if chromelevator.exe executed, because manual cleanup cannot reliably restore trust after a native injector of this type has run.

Response checklist

• uninstall undicy-http
• kill suspicious node and wscript.exe processes
• delete the ScreenLiveClient scheduled task
• remove the related Run registry key
• delete %TEMP%\_nyx_launch.vbs and %TEMP%\svchost.vbs
• check for chromelevator.exe in Defender exclusion paths and %TEMP%\WinSvcHost
• reinstall Discord clients
• rotate passwords, tokens, and sessions
• move crypto funds to fresh wallets from a clean machine
• re-image the endpoint if the native payload ran

FAQ