undicy-http

A malicious npm package named undicy-http has surfaced inside the Node.js developer ecosystem... The package impersonates undici, the official HTTP client library bundled with Node.js

It first creates a scheduled task named ScreenLiveClient that launches at login with the highest available system privileges.

If not, it writes a VBScript file to the system’s temp folder and re-launches itself using wscript.exe with a hidden window

The first is a Node.js-based Remote Access Trojan... When a developer installs undicy-http, the main script (index.js) checks immediately whether it is running as a hidden process.

It first creates a scheduled task named ScreenLiveClient that launches at login with the highest available system privileges.

If that step fails, it falls back to writing a registry run key. As a final option, it places a copy of itself in the Windows Startup folder.

It first creates a scheduled task named ScreenLiveClient that launches at login with the highest available system privileges.

If that step fails, it falls back to writing a registry run key. As a final option, it places a copy of itself in the Windows Startup folder.

To deceive the victim, it pops up a fake missing-DLL Windows error dialog while the payload continues running silently in the background.

the malware runs ten anti-VM checks targeting MAC addresses, BIOS strings, disk names, and active processes to detect sandbox environments such as ANY.RUN, Cuckoo, and Triage.

the malware runs ten anti-VM checks targeting MAC addresses, BIOS strings, disk names, and active processes

The VBScript launcher file is then hidden using attrib +h +s to avoid easy detection.

it writes a VBScript file to the system’s temp folder and re-launches itself using wscript.exe with a hidden window, leaving no visible trace of execution

It also looks for analysis tools like Wireshark, IDA, and Ghidra.

the malware runs ten anti-VM checks targeting MAC addresses, BIOS strings, disk names, and active processes to detect sandbox environments such as ANY.RUN, Cuckoo, and Triage.

the malware runs ten anti-VM checks targeting MAC addresses, BIOS strings, disk names, and active processes

It also looks for analysis tools like Wireshark, IDA, and Ghidra.

The first is a Node.js-based Remote Access Trojan that connects to an attacker-controlled WebSocket server

The first is a Node.js-based Remote Access Trojan that connects to an attacker-controlled WebSocket server, enabling remote shell execution, screen streaming, file uploads, and microphone and webcam recording.

Stolen data moves through two channels simultaneously — a Discord webhook and a Telegram bot — with large files first uploaded to gofile.io or catbox.moe before download links reach the attacker.