A crypto-wallet & secret stealer disguised as an Autodesk Forge integration
The npm package [email protected] advertised itself as a "Node.js integration layer for Autodesk Forge" — forge-* command names, a plausible description. In reality it is a full-spectrum information stealer and remote-control agent: it installs a background daemon on npm install, hunts crypto wallets, seed phrases and secret files across the machine, keylogs and screenshots, and exfiltrates the loot through Hugging Face Hub uploads and Discord webhooks. codelake caught it in the live window before it was pulled from npm.
The npm package logger-daemon-regex (version 1.0.124, 334 files) impersonated an "Autodesk Forge" integration layer — every bin is named forge-* and the description reads "Node.js integration layer for Autodesk Forge." That framing is cover. The package is a modular infostealer plus remote-access agent.
On npm install, a postinstall hook chains five scripts (postinstall-clipboard-event → ensure-dist → postinstall-durable-materialize → postinstall-bootstrap → postinstall-agent), standing up a persistent background agent (via pm2 / an autostart CLI) before the package is ever imported.
The agent then does what its own module and test names describe plainly: scans the filesystem for a curated list of secret and wallet files, harvests browser-extension databases, captures keyboard input and the clipboard, takes periodic screenshots, and exposes a remote file explorer / control channel. The stolen data is archived and uploaded to a Hugging Face Hub repository (using an hf_ token) and posted to Discord webhooks. codelake detected it from the live feed; it was not present in any public advisory database and was unpublished from npm hours after release.
The package ships a secret_filename_patterns.json manifest — the harvester’s explicit target list, and effectively a confession of intent. It is tuned for cryptocurrency theft:
· Wallets & keys: wallet.dat, *.wallet, wallet.json, main-wallet.json, new_keypair.json, keypair.json, private_key.json, secret.key, *.pk / *.p8 / *.p12 / *.pfx / *.jks / *.keystore.
· Seed phrases: *.mnemonic, *.seed, *.phrase, plus UTC--* (the Ethereum keystore filename format) and id.json (the Solana CLI keypair).
· Chain directories: .solana, .ethereum, .bitcoin, .web3, .keystore, .config/solana; and dev configs hardhat.config.js, truffle-config.js, config_sniper.json.
· General secrets: .env*, secrets.json, config.json, keys.txt, priv.txt, and wildcards *private*, *secret*, *keypair*, *keystore*. Directories like .git and node_modules are explicitly excluded to keep the scan fast and quiet.
1 · Continuous ingestion. The package was pulled from the npm feed and archived shortly after publication — the reason we still hold the artifact even though it was unpublished hours later.
2 · Behavioural + surface analysis. An install lifecycle hook chaining an agent bootstrap, combined with a wallet.dat / sensitive-path target manifest and crypto-seed dependencies (@scure/bip39, tweetnacl), flagged it as a stealer rather than the "Forge integration" it claimed to be.
3 · Capability + exfil-channel extraction. A structural pass identified the exfiltration surfaces — Hugging Face Hub uploads (@huggingface/hub, an hf_ token, a streaming uploader) and Discord webhooks — and the input-capture / remote-control modules, without executing any code.
4 · OSV cross-check. OSV returned nothing, confirming this as a novel first-catch; codelake is the source of record.
Detected and classified by codelake Research · continuous npm ingestion · behavioural + surface analysis · capability and exfil-channel extraction · OSV cross-check. Absent from public advisory databases at the time of writing — a codelake first-catch, preserved in the archive after the package was unpublished from npm.
No working payload or reproduction is published here — the technique is described from structural analysis. The original artifact is preserved in the codelake archive and available to verified security researchers on request.