Cross-Platform NPM Stealer, (Fri, May 22nd)

Friday, May 22, 2026 at 06:14 AM UTC·Source: SANS ISC

Updated: Friday, May 22, 2026 at 07:00 AM UTC

Executive Summary

I found a Node.js stealer that looked pretty well obfuscated. The file was not running out-of-the-box because it was uploaded on VT as âextracted-decoded.jsâ (and reformated). The SHA256 is 049300aa5dd774d6c984779a0570f59610399c71864b5d5c2605906db46ddeb9[1]. It did not run properly in a sandbox so only a static analysis was performed.

Analysis

Indicators of Compromise (1)

SHA-256 (1)

049300aa5dd774d6c984779a0570f59610399c71864b5d5c2605906db46ddeb9

VirusTotal AnyRun Joe Sandbox

Source Attribution

Originally published by SANS ISC on May 22, 2026.

Related Threats

MEDIUMSupply Chain

Malicious Sicoob NuGet Steals Banking Credentials as npm Packages Target Cloud Secrets

Cybersecurity researchers have discovered a malicious NuGet package that masquerades as a C# software development kit for Sicoob, one of Brazil's largest cooperative financial systems, to siphon client IDs and PFX certificates. According to Socket, versions 2.0.0 through 2.0.4 of "Sicoob.Sdk" contain functionality to exfiltrate sensitive information, including PFX certificates that are used to

1d agoThe Hacker News

CRITICALSupply Chain

Cybersecurity trends in SEC filings

In 2023, the Securities and Exchange Commission (SEC) required public companies to include a new section in their 10-K annual filings that is devoted to cybersecurity. This section is meant to address “cybersecurity risk management, strategy, governance and incidents.” I got curious as to what senior cybersecurity executives are conveying about their companies in these reports. I turned this into

1d agoCSO Online

MEDIUMSupply Chain

AI-Generated npm Malware Leaks Its Own GitHub Token

Sloppy AI-generated npm infostealer leaked its own GitHub token, exposing the operator

1d agoInfosecurity Magazine