A multi-stage credential stealer hiding inside a fake “zod-pino” utility
The npm package [email protected] posed as a simple integration of the popular zod and pino libraries. On install it silently bootstraps a persistent agent that harvests crypto wallets, browser credentials, Chromium extension databases, Discord tokens, the clipboard and secret files, and exfiltrates them to a hardcoded C2 relay plus Discord and HuggingFace. codelake captured the original artifact before it was pulled from the registry.
The npm package zod-pino (version 1.0.127) presented itself as a lightweight bridge between two of npm's most-downloaded libraries — zod (schema validation) and pino (logging). Its actual purpose was the opposite of benign: a multi-stage information stealer with remote-control (RAT) capabilities, staged across dozens of files so a shallow scan would miss it.
The malicious behaviour is not hidden in the source you read on the registry page — it fires from a chain of postinstall lifecycle scripts that run automatically on npm install, before the developer ever imports the package. Those scripts materialise and start a long-running agent and keep it alive via a process manager, so a single install compromises the machine and survives reboots.
codelake detected and archived version 1.0.127 within its continuous npm scan. The package has since been removed from the registry and replaced by an empty 0.0.1-security placeholder — meaning the working sample and the evidence below are preserved in the codelake archive.
1 · Disguise. The package name and metadata impersonate a routine zod+pino utility (main: dist/index.js); nothing in the public listing hints at the payload.
2 · Auto-execution on install. A five-stage postinstall chain runs on npm install — a clipboard hook, a “durable-materialize” step, a bootstrap step and an agent launcher — dropping and starting a resident process without any action from the victim.
3 · Persistence. The agent is registered with a process manager (pm2 daemon + autostart), and Windows PowerShell helpers disguise it as a “windows-update” task — so it restarts on boot and resists casual cleanup.
4 · Harvest. The agent targets crypto wallets (wallet.dat), Chromium credential stores (Login Data), Chromium extension databases, Discord tokens, the clipboard, live desktop input, and any file matching a bundled secret-filename pattern list — reaching into ~/ and AppData.
5 · Exfiltration. Collected data is shipped to a hardcoded C2 relay at 212.193.3.61:9877, and additionally out via Discord webhooks and HuggingFace Hub uploads — abusing legitimate services as exfil channels to blend in.
Unusually, the sample ships a large test suite whose file names read like a feature list of the malware itself: chromium-extension-db-harvest, extension-db-hf-upload, discord-bot-tokens, discord-relay-upload, clipboard-session, desktop-input-sync, hf-hub-upload-streaming, secret-filename-scan, agent-secret-audit. Each corresponds to a real capability confirmed by the file structure and the postinstall chain — leaving little ambiguity about intent.
Detected and confirmed by codelake Research · continuous npm scanning + AI malware triage + deterministic IOC extraction · independently corroborated by OSV MAL-2026-6273. The original artifact is preserved in the codelake archive and available to verified security researchers on request.
No working payload or reproduction is published here — the technique is described, not reproduced.