• Home
  • cyber
  • npm: G_Wagon NPM Package Exploits Users to Steal Browser Credentials with Obfuscated Payload
cyber Cyber Attack

npm: G_Wagon NPM Package Exploits Users to Steal Browser Credentials with Obfuscated Payload

Jan 21, 2026 3 min read
npm: G_Wagon NPM Package Exploits Users to Steal Browser Credentials with Obfuscated Payload

Sophisticated npm Infostealer "G_Wagon" Targets Developers with Fake UI Library

A highly advanced infostealer malware, dubbed G_Wagon, has been distributed via the malicious npm package ansi-universal-ui, masquerading as a legitimate UI component library. Discovered by security researchers on January 23, 2026, at 08:46 UTC, the package contains no functional UI code instead, it deploys a Python-based infostealer designed to exfiltrate sensitive data from infected systems.

Attack Methodology & Evolution

The threat actor demonstrated iterative sophistication, publishing 10 versions between January 21–23, 2026, each refining the malware’s evasion and execution techniques. Key developments include:

  • v1.2.0: Replaced npm’s tar dependency with direct system tar execution.
  • v1.3.7: Added post-execution cleanup to delete payloads and sanitized log messages (e.g., "Initializing UI runtime" instead of "Setting up Python environment").
  • v1.4.0: Shifted to memory-only execution, fetching base64-encoded payloads from remote servers and piping them directly to Python via stdin to avoid disk-based detection.
  • Self-dependency trick: The package lists itself as a dependency in package.json, triggering its postinstall hook twice during installation.

Data Theft Capabilities

G_Wagon targets a broad range of sensitive data, including:

  • Browser credentials: Chrome, Edge, and Brave (Windows/macOS), using Chrome DevTools Protocol for cookies and Windows DPAPI for password decryption.
  • Cryptocurrency wallets: Over 100 browser extensions (MetaMask, Phantom, Coinbase Wallet, Ledger Live, etc.), spanning Ethereum, Solana, Cosmos, Polkadot, and Cardano.
  • Cloud credentials: AWS CLI, Azure CLI, Google Cloud SDK files, SSH keys, and Kubernetes configs.
  • Messaging tokens: Discord, Telegram, and Steam authentication files.

Stolen data is compressed, chunked (5MB segments), and uploaded to Appwrite storage buckets hosted in New York and Frankfurt.

Advanced Evasion Techniques

The malware employs anti-forensic measures, including:

  • Memory-only payload execution to evade disk-based detection.
  • Process injection via an embedded Windows DLL, using NT native APIs for deeper system access.
  • Browser process termination to bypass security controls during credential theft.

The campaign highlights the growing threat of supply-chain attacks targeting developers through seemingly legitimate open-source packages.

Source: https://gbhackers.com/g_wagon-npm-package/

npm, Inc. cybersecurity rating report: https://www.rankiteo.com/company/npm-inc-

"id": "NPM1769526071",
"linkid": "npm-inc-",
"type": "Cyber Attack",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Software Development, Technology',
                        'location': 'Global',
                        'type': 'Developers, Organizations using the malicious '
                                'npm package'}],
 'attack_vector': 'Malicious npm package',
 'data_breach': {'data_encryption': 'No (data exfiltrated in plaintext or '
                                    'compressed chunks)',
                 'data_exfiltration': 'Yes, to Appwrite storage buckets (New '
                                      'York and Frankfurt)',
                 'personally_identifiable_information': 'Browser cookies, '
                                                        'authentication '
                                                        'tokens, '
                                                        'cryptocurrency wallet '
                                                        'data',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Browser credentials',
                                              'Cryptocurrency wallets',
                                              'Cloud credentials',
                                              'Messaging tokens',
                                              'SSH keys',
                                              'Kubernetes configs']},
 'date_detected': '2026-01-23T08:46:00Z',
 'description': 'A highly advanced infostealer malware, dubbed *G_Wagon*, has '
                'been distributed via the malicious npm package '
                '*ansi-universal-ui*, masquerading as a legitimate UI '
                'component library. The package contains no functional UI '
                'code; instead, it deploys a Python-based infostealer designed '
                'to exfiltrate sensitive data from infected systems.',
 'impact': {'brand_reputation_impact': 'Potential reputational damage to '
                                       'affected developers and organizations',
            'data_compromised': 'Browser credentials, cryptocurrency wallets, '
                                'cloud credentials, messaging tokens, SSH '
                                'keys, Kubernetes configs',
            'identity_theft_risk': 'High',
            'operational_impact': 'Potential unauthorized access to cloud '
                                  'environments, cryptocurrency theft, '
                                  'identity theft',
            'payment_information_risk': 'High (cryptocurrency wallets)',
            'systems_affected': 'Developer workstations (Windows/macOS)'},
 'initial_access_broker': {'entry_point': 'Malicious npm package '
                                          '(ansi-universal-ui)',
                           'high_value_targets': 'Developers, organizations '
                                                 'with cloud/cryptocurrency '
                                                 'assets'},
 'investigation_status': 'Ongoing',
 'lessons_learned': 'Growing threat of supply-chain attacks via open-source '
                    'packages; need for stricter npm package vetting and '
                    'developer awareness.',
 'motivation': 'Data exfiltration, credential theft',
 'post_incident_analysis': {'corrective_actions': ['Implement npm package '
                                                   'scanning tools',
                                                   'Restrict postinstall '
                                                   'script execution',
                                                   'Enhance developer training '
                                                   'on supply-chain risks'],
                            'root_causes': ['Lack of npm package vetting',
                                            'Abuse of postinstall hooks',
                                            'Self-dependency trick in '
                                            'package.json']},
 'recommendations': ['Verify npm package authenticity before installation',
                     'Monitor postinstall scripts for suspicious activity',
                     'Use memory and behavior-based detection tools',
                     'Educate developers on supply-chain attack risks'],
 'references': [{'source': 'Security Research Report'}],
 'title': "Sophisticated npm Infostealer 'G_Wagon' Targets Developers with "
          'Fake UI Library',
 'type': 'Supply Chain Attack',
 'vulnerability_exploited': 'Postinstall hook abuse, self-dependency trick'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.