cold-debug-elevatornpm
Malicious code in cold-debug-elevator (npm) Remove it immediately and rotate any exposed credentials.
What this malware does
The package presents itself as a debugging utility but its exported API is a browser credential stealer targeting installer-owned secrets. The extract(browserPath, outputPath) entry point spawns Chrome/Edge/Brave under a debugger, locates the OSCrypt App-Bound Encryption provider inside chrome.dll/msedge.dll via Zydis disassembly (searching for the OSCrypt.AppBoundProvider.Decrypt.ResultCode string), sets a hardware execute breakpoint, and reads the 32-byte AppBound key out of process registers via ReadProcessMemory. It then DPAPI-decrypts the Local State master key and issues SELECT... encrypted_value FROM cookies and SELECT origin_url, username_value, password_value FROM logins against every Chrome/Edge/Brave profile, AES-GCM-decrypting cookies, saved passwords, autofill and history. A second entry point extractGecko(outputPath) loads nss3.dll from installed Firefox, Thunderbird, Waterfox, SeaMonkey, Pale Moon, LibreWolf and Tor Browser and calls PK11SDR_Decrypt to recover saved passwords from logins.json, then copies cookies.sqlite, formhistory.sqlite and places.sqlite from each profile. Output files are delimited with a <Sage Private> branding string consistent with offensive tooling. binding.gyp references vcpkg paths outside the tarball (<(module_root_dir)\..\builder\src\Chromium-DebugElevator-main (1)\...), so node-gyp rebuild will fail on a normal install — the stealer is distributed as C++ source and runs only after a consumer builds it manually and invokes the API, but the shipped code has no purpose other than harvesting browser secrets from the machine that runs it.
Malicious versions
Indicators of compromise (SHA-256)
Detection & response playbook
Credential / info stealerFind it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for cold-debug-elevator (3 malicious versions). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging cold-debug-elevator across your stack and pipelines.
If you installed it — respond
cold-debug-elevator is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If cold-debug-elevator was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks cold-debug-elevator before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.
Frequently asked questions
Campaign
References
Credits
- Amazon Inspector · finder
Detect & block this
O3 blocks cold-debug-elevator-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.