Stealit malware activity abusing Node.js SEA and counterfeit installers
Malware Activity
Summary
Hide ▲
Show ▼
Stealit is an active malware activity that uses Node.js Single Executable Application (SEA) and some Electron builds to spread standalone payloads through counterfeit game and VPN installers on Mediafire and Discord. In the latest reporting, FortiGuard Labs says the campaign initially leveraged Node.js SEA to deliver malicious scripts to systems without Node.js installed, then later reverted to Electron with AES-256-GCM encryption and moved its C2 panel from stealituptaded[.]lol to iloveanimals[.]shop. The malware targets Windows and Android systems and can steal data from browsers, messengers, cryptocurrency wallets, and game-related apps while also supporting persistence, remote control, and ransomware deployment.
Related Happenings
Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs
Threat Actor Meta
First: 20.05.2026 00:47
Last: 20.05.2026 00:47
Sources 1
About this happening:
Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...
Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs
Threat Actor MetaAbout this happening: Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...
SHub Reaper macOS infostealer variant
Malware Activity
First: 19.05.2026 00:42
Last: 19.05.2026 00:42
Sources 1
About this happening:
The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
SHub Reaper macOS infostealer variant
Malware ActivityAbout this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...
Inactive maintainer account 'atiertant' hit by network compromise
Incident
First: 15.05.2026 20:10
Last: 15.05.2026 20:10
Sources 1
About this happening:
The **inactive maintainer account 'atiertant'** for **node-ipc** was **compromised**, enabling malicious package releases that could steal credentials from downstream installation...
Inactive maintainer account 'atiertant' hit by network compromise
IncidentAbout this happening: The **inactive maintainer account 'atiertant'** for **node-ipc** was **compromised**, enabling malicious package releases that could steal credentials from downstream installation...
Gremlin stealer modular toolkit evolution
Malware Activity
First: 15.05.2026 17:19
Last: 15.05.2026 17:19
Sources 1
About this happening:
The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...
Gremlin stealer modular toolkit evolution
Malware ActivityAbout this happening: The **Gremlin stealer** malware has expanded into a **modular toolkit** with **session-hijacking** and **crypto clipping** capabilities, raising the risk of credential theft and a...
Mini Shai-Hulud npm supply-chain malware wave
Malware Activity
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...
Mini Shai-Hulud npm supply-chain malware wave
Malware ActivityAbout this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...
Timeline
-
10.10.2025 17:25 3 articles · 7mo ago
Stealit malware campaign disclosure
Initial DisclosureCybersecurity researchers disclosed an active Stealit malware campaign that uses Node.js Single Executable Application (SEA) and some Electron builds to distribute malicious payloads through counterfeit game and VPN installers uploaded to Mediafire and Discord. The malware applies anti-analysis checks, writes a Base64-encoded authentication key to %temp%\cache.json, configures Microsoft Defender Antivirus exclusions, and uses modular components to extract data from Chromium-based browsers, messengers, cryptocurrency wallets, game apps, and to support persistence, live screen monitoring, arbitrary command execution, file transfer, and ransomware deployment on Windows and Android systems.
Show sources
- Stealit Malware Abuses Node.js Single Executable Feature via Game and VPN Installers — thehackernews.com — 10.10.2025 17:25
- Stealit Malware Abuses Node.js Single Executable Feature via Game and VPN Installers — thehackernews.com — 10.10.2025 17:25
- New Stealit Malware Campaign Spreads via VPN and Game Installer Apps — www.infosecurity-magazine.com — 13.10.2025 16:45