{
	"id": "d5a738cf-9a09-4c47-b04a-ac7dd9df4f5a",
	"created_at": "2026-04-06T00:10:07.314731Z",
	"updated_at": "2026-04-10T03:20:52.905421Z",
	"deleted_at": null,
	"sha1_hash": "03c2b45411df67696419724adfcd89f94816ca30",
	"title": "npm Malware: Bladabindi Trojan in Typosquatting Packages",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 814437,
	"plain_text": "npm Malware: Bladabindi Trojan in Typosquatting Packages\r\nBy Ax Sharma\r\nPublished: 2020-12-01 · Archived: 2026-04-05 17:58:44 UTC\r\nOver the Thanksgiving weekend, Sonatype discovered new malware within the npm registry. This time, the\r\ntyposquatting packages identified by us are laced with a popular Remote Access Trojan (RAT).\r\nThe malicious packages are:\r\njdb.js\r\ndb-json.js\r\nBoth of these packages have been published by the same author.\r\nOn Friday, Sonatype Intelligence, which includes next generation machine learning algorithms that automatically\r\ndetect potentially malicious open source components, flagged \"jdb.js\" for being suspicious.\r\nThis is the same state-of-the-art technology that has recently unveiled open source malware like CursedGrabber,\r\nfallguys' successor discord.dll, typosquatting npm packages like electorn, twilio-npm, and many more.\r\nUpon digging deeper, we discovered that the author behind \"jdb.js\" had also published another malicious npm\r\npackage, \"db-json.js.\"\r\nAs the name implies, \"jdb.js\" attempts to mimic the legitimate NodeJS-based database library, jdb. Similarly, \"db-json.js\" carries an identical name to the genuine db-json library.\r\nHowever, \"jdb.js\" is in fact a malicious package bundled with a Remote Access Trojan (RAT) called njRAT aka\r\nBladabindi.\r\nRATs are a type of malware that enable attackers to take over an infected system, execute arbitrary commands, run\r\nkeyloggers, and discreetly conduct other surveillance activities.\r\nnjRAT is an info-stealing trojan that had been deployed in widespread attacks that led Microsoft to shut down 4\r\nmillion sites in 2014.\r\nIn recent years, variants of njRAT/Bladabindi have been distributed via Bitcoin scams on YouTube and via Excel\r\nphishing emails. And, given njRAT's customizability and easy availability on the darknet, the malware has also\r\nbeen shipped by threat actors as part of their ransomware exploit kits.\r\nDissecting npm Malware \"jdb.js\"\r\nPublished last week, \"jdb.js\" is an npm package (not a JavaScript file) with just one version 1.0.0 that contains 3\r\nfiles:\r\nhttps://blog.sonatype.com/bladabindi-njrat-rat-in-jdb.js-npm-malware\r\nPage 1 of 8\n\npackage.json, the manifest file\r\nmodule.js, an obfuscated script\r\npatch.exe, Windows executable containing the njRAT payload\r\nThe counterfeit component has scored just below a 100 downloads, thanks to Sonatype’s automated systems\r\ncatching it shortly after release.\r\nThe package.json manifest file contained within the package launches module.js as soon as the package is\r\ninstalled.\r\nmodule.js is a heavily obfuscated script containing multiple base64-encoded chunks that cannot be easily\r\ndeciphered: decoding these strings renders gibberish values, implying these base64 chunks contain binary, or\r\nencrypted data.\r\nImage: Obfuscated module.js file (code spread out by us for legibility)\r\nThe script conducts multiple sinister activities such as data gathering and reconnaissance, and ultimately launches\r\npatch.exe which is an njRAT dropper written in .NET.\r\nAlthough patch.exe contains an older, known njRAT strand, at the time of our analysis, VirusTotal indicated this\r\nparticular sample was first submitted to the engine last week by Sonatype, meaning it contained at least some new\r\ninformation.\r\nDecompiling the executable reveals that crucial information.\r\nOne of the class constructors, called \"OK,\" has hardcoded strings revealing the location of the command and\r\ncontrol (C2) server and port the malware would be communicating with, the local Windows folder where it would\r\nhttps://blog.sonatype.com/bladabindi-njrat-rat-in-jdb.js-npm-malware\r\nPage 2 of 8\n\ndrop itself, etc.\r\nImage: hardcoded strings within patch.exe sample, such as C2 server IP address, name of the dropped\r\nprocess, etc.\r\nAs soon as patch.exe runs, it copies itself into the local \"TEMP\" folder on the system and renames itself to\r\n\"dchps.exe\" (a value revealed within the screenshot). The C2 server and port it establishes a connection to is\r\n46.185.116.2:5552.\r\nHowever, prior to communicating with the C2 infrastructure, the malicious executable edits Windows firewall\r\nrules to ensure it would have no trouble communicating with the hardcoded IP. To do so, it issues the legitimate\r\n\"netsh\" command multiple times, starting with:\r\nnetsh firewall add allowedprogram \"C:\\Users\\admin\\AppData\\Local\\Temp\\dchps.exe\" \"dchps.exe\" ENABLE\r\nhttps://blog.sonatype.com/bladabindi-njrat-rat-in-jdb.js-npm-malware\r\nPage 3 of 8\n\nThe commands that can be remotely executed by the C2 server operator are quite extensive.\r\nBy infecting a host with this malware, a remote attacker gains the ability to log keystrokes, modify registry values,\r\ninitiate system shutdown or restart at will, edit web browser (IE) start page, \"speak\" to the user via text-to-speech\r\nsynthesis (via SAPI.Spvoice), kill or relaunch critical system processes like task manager, system restore, and\r\nPING, in addition to taking control of hardware devices like CD drives, monitors, mouse, keyboard, etc.\r\nImage: Partial list of commands an njRAT C2 server can send to execute on the infected host for the trojan\r\nto execute\r\nThe malware also contains a hardcoded link, https://dl.dropbox[.]com/s/p84aaz28t0hepul/Pass.exe, now disabled\r\nby Dropbox, that has also frequently appeared in other njRAT samples.\r\nIt is worth noting the C2 server IP 46.185.116.2 that this sample communicates with is the same IOC observed in\r\nsome CursedGrabber binaries indicating the threat actors behind CursedGrabber and the npm malware \"jdb.js\"\r\ncould be linked.\r\nHonest-Looking \"db-json.js\" Hides \"jdb.js\" within\r\nAlthough \"jdb.js\" exhibits obvious malicious signs, it’s \"db-json.js\" that's concerning for it might be harder for a\r\nhuman and a machine to spot immediately.\r\nhttps://blog.sonatype.com/bladabindi-njrat-rat-in-jdb.js-npm-malware\r\nPage 4 of 8\n\nFirst of all, \"db-json.js\" has a proper README page on npm, at the time of analysis, touting it to be JsonDb, an\r\n\"easy to use module that makes database based on json files.\"\r\nThere are well-documented instructions provided for the developer on how to incorporate this library in their\r\napplication.\r\nImage: npm package \"db-json.js\" with a believable npm README page\r\nThe package \"db-json.js\" appears clean on a first glance as it contains functional code one would expect from a\r\ngenuine JSON DB creation package. Yet, it is secretly pulling in the malicious \"jdb.js\" as a dependency,\r\nsomething Sonatype has repeatedly warned about.\r\nShown below is the manifest file in both versions 1.0.3 and 1.0.4 that contain \"jdb.js\" as a dependency.\r\nhttps://blog.sonatype.com/bladabindi-njrat-rat-in-jdb.js-npm-malware\r\nPage 5 of 8\n\nFurthermore, in version 1.0.4, the quasi-innocuous \"dbmanager.js\" class goes a step further by appending\r\nmultiple empty lines towards the end of its functional code, with the very last line being:\r\nrequire('jdb.js');\r\nImage: db-json.js containing otherwise \"clean\" code secretly launches jdb.js\r\nThis means even if someone is able to dodge \"jdb.js,\" by using \"db-json.js\" in their application, not only would\r\nthey be infecting their machine with njRAT malware, they also put other developers at risk: developers who would\r\ninstall or fork applications built with \"db-json.js.\"\r\nIn our recent State of the Software Supply Chain report, we documented a 430% increase in malicious code\r\ninjection within OSS projects - or next-gen software supply chain attacks, and this isn't the first time we have seen\r\nattacks including counterfeit components.\r\nDiscovery of yet another family of counterfeit components, especially after \"discord.dll\" and other Sonatype-discovered malware had already made headlines, speaks to the damage that is possible to your software supply\r\nchain if adequate protections are not in place.\r\nhttps://blog.sonatype.com/bladabindi-njrat-rat-in-jdb.js-npm-malware\r\nPage 6 of 8\n\nTimeline\r\nSonatype's timeline related to the malicious package's discovery and reporting is as follows:\r\nNovember 27, 2020: Suspicious package \"jdb.js\" is picked up by our automated malware detection system\r\nwithin a day of its publication to npm registry. While manually analyzing the package, another package\r\n\"db-json.js\" by the same author is discovered. Although suspicious components can be automatically\r\nquarantined, our Security Research team immediately adds both packages to our data, assigning them\r\nidentifier(s): sonatype-2020-1168.\r\nNovember 27, 2020: npm security team is notified the same day of malicious packages. Note: The day of\r\nthis report fell over the Thanksgiving holiday weekend.\r\nNovember 30, 2020: npm security team removes \"jdb.js\" and \"db-json.js\".\r\nDecember 1, 2020: Public disclosure via this blog post.\r\nBased on the visibility we have, no Sonatype customers have downloaded either of these packages, and our\r\ncustomers remain protected against such counterfeit components.\r\nSonatype's world-class open source intelligence, which includes our automated malware detection technology,\r\nsafeguards your developers, customers, and software supply chains from infections like these.\r\nIf you're not a Sonatype customer and want to find out if your code is vulnerable, you can use Sonatype's free\r\nSonatype Vulnerability Scanner to find out quickly.\r\nVisit the Sonatype Intelligence Insights page for a deep dive into other vulnerabilities like this one or subscribe to\r\nautomatically receive Sonatype Intelligence Insights hot off the press.\r\nIndicators of Compromise (IOCs)\r\nThis is not an exhaustive list of IOCs. Other njRAT samples exist in the wild.\r\nURLs and IPs:\r\n46.185.116.2:5552\r\nhttps://dl.dropbox[.]com/s/p84aaz28t0hepul/Pass.exe\r\nHashes:\r\nd6c04cc24598c63e1d561768663808ff43a73d3876aee17d90e2ea01ee9540ff\r\n86c11e56a1a3fed321e9ddc191601a318148b4d3e40c96f1764bfa05c5dbf212\r\nTags\r\nvulnerabilities npm Nexus Intelligence Insights malicious code npm Sonatype Vulnerability Scanner\r\nhttps://blog.sonatype.com/bladabindi-njrat-rat-in-jdb.js-npm-malware\r\nPage 7 of 8\n\nSource: https://blog.sonatype.com/bladabindi-njrat-rat-in-jdb.js-npm-malware\r\nhttps://blog.sonatype.com/bladabindi-njrat-rat-in-jdb.js-npm-malware\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.sonatype.com/bladabindi-njrat-rat-in-jdb.js-npm-malware"
	],
	"report_names": [
		"bladabindi-njrat-rat-in-jdb.js-npm-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434207,
	"ts_updated_at": 1775791252,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/03c2b45411df67696419724adfcd89f94816ca30.pdf",
		"text": "https://archive.orkl.eu/03c2b45411df67696419724adfcd89f94816ca30.txt",
		"img": "https://archive.orkl.eu/03c2b45411df67696419724adfcd89f94816ca30.jpg"
	}
}