logger-daemon-regexnpm
Malicious code in logger-daemon-regex (npm) Remove it immediately and rotate any exposed credentials.
What this malware does
package.json advertises the package as a 'Node.js integration layer for Autodesk Forge' but the shipped code is a full information-stealer / remote-access implant. On npm install, scripts.postinstall chains scripts/postinstall-agent.mjs, which (a) copies dist/ into a hidden per-user runtime prefix at <userdata>/.logger-daemon-regex/runtime/v<version>/ so the agent survives npm uninstall, (b) registers OS autostart against that hidden copy via cli-autostart.js, and (c) spawns a detached, windowsHide, unref'd node process running dist/cli-agent.js. The agent opens a WebSocket to a C2 host whose address is not present as plaintext: dist/deploymentDefaults.js reconstructs a 32-byte AES-256-GCM key by XOR-ing two obfuscated Uint8Array halves (DEPLOYMENT_KEY_A^DEPLOYMENT_MASK_A, DEPLOYMENT_KEY_B^DEPLOYMENT_MASK_B) and decrypts DEPLOYMENT_CIPHER_TEXT_B64 (with IV/TAG) into publicHost / relayPort / apiPort / defaultExplorerPassword, from which ws://<host>:<port> is derived at runtime. Once connected, the agent runs dist/secretScan/agentStartupAudit.js, which walks POSIX '/' or every Windows drive and matches files by name and content against rules in dist/secretScan/contentScanner.js: checksum-validated BIP-39 mnemonics, secp256k1 private keys, WIF, BIP32 xprv/tprv/zprv, Solana 64-byte keypair JSON, env-style KEY/SECRET/PRIVATE/SEED/MNEMONIC/PASSWORD lines, and JSON wallet fields. Matches (with full secret material by default) are packaged into agents/<hostname>/result.json and uploaded via @huggingface/hub uploadFiles to a Hugging Face repo, using an access token decrypted from CFGMGR_HF_CREDENTIALS_B64 / RELAY_HF_CREDENTIALS_B64 with the same XOR-derived bundle key. dist/shellHistoryScan.js separately enumerates ~/.bash_history, ~/.zsh_history, ~/.python_history, ~/.node_repl_history, ~/.mysql_history, ~/.psql_history, ~/.sqlite_history, ~/.lesshst, fish history, Windows PowerShell PSReadLine ConsoleHost_history.txt, Clink history, and Cygwin/msys homes, streaming records through syncClient to the same C2 relay. dist/hostInventorySend.js unconditionally POSTs hostname + os.type/platform/release/version + Node version to the same relay. dist/chromiumExtensionDbHarvest.js + dist/extensionDbHfUpload.js target Chromium/Chrome/Edge extension LevelDB stores (browser wallets, session cookies) and are enabled by default via FORGE_JS_AGENT_EXTENSION_DB_HF_UPLOAD='1' set in postinstall-agent.mjs's turnkeySpawnEnvOverrides. dist/index.js additionally re-exports relayAgent, windowsInputSync, clipboardEventWatcher, discordRelayUpload, and workerBootstrap, giving the C2 operator keyboard/clipboard capture, screenshot exfiltration (handleDiscordScreenshotUploadFromAgent), and arbitrary file upload. The near-duplicate bin entries (forge-jsx-explorer-, forge-jsy-explorer-, logger-daemon-regex-explorer-kill-agent) and CFGMGR_* / FORGE_JS_* env-var namespaces reinforce the Autodesk Forge / cfgmgr impersonation cover story.
Malicious versions
Indicators of compromise (SHA-256)
Detection & response playbook
Credential / info stealerFind it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for logger-daemon-regex (version 1.0.124). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging logger-daemon-regex across your stack and pipelines.
If you installed it — respond
logger-daemon-regex is built to steal secrets, so assume every credential the build or runtime could read is compromised. Remove it from your project and lockfile, then rotate ALL exposed secrets — npm/registry tokens, cloud keys, CI/CD secrets, SSH keys, and any .env values — from a known-clean machine. Audit logs for unauthorized use of those credentials.
Did it already run?
If logger-daemon-regex was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks logger-daemon-regex before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.
Frequently asked questions
Campaign
References
Credits
- Amazon Inspector · finder
Detect & block this
O3 blocks logger-daemon-regex-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the credential exfiltration and severs the channel.