Security researchers reported a supply-chain attack delivered via a malicious npm package, ansi-universal-ui, masquerading as a legitimate UI component library. The package, dubbed G_Wagon by Aikido, used a multi-stage infection chain: after installation it executed an obfuscated loader, downloaded its own Python runtime to evade local restrictions, and then ran a Python-based stealer that exfiltrated sensitive data including browser credentials, cryptocurrency wallets, cloud credentials, and Discord tokens to an Appwrite storage bucket. The campaign showed rapid iteration, with roughly 10 package versions published over two days, progressing from basic scaffolding to adding C2 configuration and a “full Python payload with browser injection.”
Technical analysis indicated the payload included a large base64 blob that decoded to an XOR-encrypted Windows DLL, which was injected into browser processes using Windows native APIs (e.g., NtAllocateVirtualMemory). Separately, reporting highlighted that npm and Yarn package-manager behaviors can leave “unplugged holes” that attackers may exploit to bypass certain defenses aimed at malicious dependency activity (referencing “Shai-Hulud”), reinforcing the broader risk that package-manager edge cases and ecosystem trust can be leveraged for supply-chain compromise. A paywalled report about a Firefox WebRTC RCE with public exploit code appears unrelated to the npm malware activity and does not materially contribute details to this incident.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
Snyk published its assessment of the malicious package, rating the issue critical with a CVSS 4.0 score of 9.3 and classifying it under CWE-506. It warned that all versions of "ansi-universal-ui" were affected and should be avoided.
Following disclosure, researchers and vendors advised developers to remove the malicious package, delete related dependencies, check for the ~/.gwagon_status marker file, and rotate or revoke exposed credentials such as browser passwords, cloud keys, SSH keys, and tokens. Guidance also recommended reviewing systems and logs for signs of Appwrite-related exfiltration traffic.
Analysis of G_Wagon showed it downloaded its own Python runtime, executed payloads in memory, and used an embedded Windows DLL injected into browser processes via native APIs. The malware was found stealing browser credentials, crypto wallet data, cloud and infrastructure secrets, and communication-platform tokens, then exfiltrating them to attacker-controlled Appwrite storage.
On January 23, 2026, researchers identified "ansi-universal-ui" as a malicious npm package delivering the multi-stage G_Wagon infostealer. The package used a postinstall hook to fetch and run obfuscated payloads while posing as a lightweight UI component library.
The npm package "ansi-universal-ui" began a rapid series of malicious releases, evolving from initial scaffolding into a more capable infostealer delivery chain. Reporting indicates 10 versions were published over roughly two days, starting on January 21, 2026.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
snyk.io
Open sourcecybersecuritynews.com
Open sourcesecurityonline.info
Open sourcecsoonline.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.