undicy-http has surfaced inside the Node.js developer ecosystem, quietly compromising machines of developers who mistakenly install it. The package impersonates undici, the official HTTP client library bundled with Node.js that handles millions of weekly downloads. Despite sharing a near-identical name, undicy-http contains zero HTTP client functionality.
Instead, it launches a two-stage attack capable of stealing browser credentials, hijacking active sessions, and giving attackers live remote access to a victim’s screen, microphone, and webcam.
The package (version 2.0.0) delivers two payloads that work in parallel. The first is a Node.js-based Remote Access Trojan that connects to an attacker-controlled WebSocket server, enabling remote shell execution, screen streaming, file uploads, and microphone and webcam recording.
The second is a native Windows executable called chromelevator.exe, which injects into browser processes at the operating system level to steal passwords, cookies, credit card numbers, IBANs, and session tokens from over 50 browsers and 90 cryptocurrency wallet extensions.
JFrog Security researchers identified the package on March 31, 2026, attributing it to the threat group known as LofyGang. The package’s author field reads ConsoleLofy, a direct match to LofyGang’s documented alias dictionary.
Hardcoded strings reading "Lofygang Started" and Portuguese-language log messages throughout the code confirm the group’s Brazilian roots.
This campaign marks a significant step up from previous LofyGang attacks, which used only JavaScript to steal Discord tokens and credit card data.
The attack’s reach goes beyond browser data. The malware targets session data from six platforms — Roblox, Instagram, Spotify, TikTok, Steam, and Telegram.
It also goes after 28 desktop cryptocurrency wallets, six hardware wallet integrations including Ledger and Trezor, and over 90 browser wallet extensions.
Stolen data moves through two channels simultaneously — a Discord webhook and a Telegram bot — with large files first uploaded to gofile.io or catbox.moe before download links reach the attacker.
Notably, chromelevator.exe matches a YARA detection rule named MAL_Browser_Stealer_Dec25_2, associated with the broader GlassWorm Campaign attack framework.
Since December 2025, that rule has matched over 1,750 malicious samples, with new matches recorded through March 2026.
When a developer installs undicy-http, the main script (index.js) checks immediately whether it is running as a hidden process.
If not, it writes a VBScript file to the system’s temp folder and re-launches itself using wscript.exe with a hidden window, leaving no visible trace of execution.
The malware then establishes three persistence mechanisms to survive system restarts. It first creates a scheduled task named ScreenLiveClient that launches at login with the highest available system privileges.
If that step fails, it falls back to writing a registry run key. As a final option, it places a copy of itself in the Windows Startup folder. The VBScript launcher file is then hidden using attrib +h +s to avoid easy detection.
To avoid security tools, the malware runs ten anti-VM checks targeting MAC addresses, BIOS strings, disk names, and active processes to detect sandbox environments such as ANY.RUN, Cuckoo, and Triage.
It also looks for analysis tools like Wireshark, IDA, and Ghidra. To deceive the victim, it pops up a fake missing-DLL Windows error dialog while the payload continues running silently in the background.
The native binary chromelevator.exe goes even further by using direct syscalls that sidestep standard ntdll.dll APIs, bypassing EDR and antivirus hooks at the user-mode level.
Developers should immediately run npm uninstall undicy-http, end all node and wscript.exe processes, and remove the ScreenLiveClient scheduled task and its registry key.
Delete the VBS files from the temp folder and reinstall all Discord clients to clear injected code. Rotate all passwords, Discord tokens, and session credentials for Roblox, Instagram, Spotify, TikTok, Steam, and Telegram.
Move cryptocurrency to new wallets with fresh seed phrases on a clean machine, and block the C2 address 24[.]152[.]36[.]243 and domain amoboobs[.]com. Re-imaging the system is advised if chromelevator.exe ran, as manual cleanup alone cannot guarantee full system trust.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post New npm Supply Chain Attack Uses undicy-http to Deploy Screen-Streaming RAT and Browser Injector appeared first on Cyber Security News.
Apple TV has a spread of original series mid-season right now, but that isn’t stopping…
As filming for the Highlander reboot starring Henry Cavill continues, one of its stars has…
Heads up: For a limited time, you can save $50 off Apple's latest and greatets…
Google has pushed an urgent security update for its Chrome desktop browser to fix 21…
Microsoft is rolling out a significant set of privacy and security enhancements for Microsoft Teams,…
Sister Elaine Hirschenberger, a co-founder of the Rockford non-profit Womanspace, has retired as executive director…
This website uses cookies.