`node-ci-utils` / `win-env-setup` / `macos-ci-utils` npm droppers deliver the NastyC2 Rust post-exploitation framework
Three npm packages — node-ci-utils@2.1.4, win-env-setup@3.0.5/3.0.6, and macos-ci-utils@1.0.0/1.0.1 — masqueraded as CI tooling while acting as cross-platform droppers for NastyC2, a previously undocumented Rust post-exploitation framework with 80+ commands comparable in scope to Cobalt Strike and Sliver. npm removed all three packages between 2026-06-01 and 2026-06-13; the public disclosure landed in The Hacker News ThreatsDay Bulletin on 2026-06-18.
- Detected by
- The Hacker News
- Also known as
- NastyC2 · node-ci-utils dropper cluster
- Ecosystems
- npm
- Packages tracked
- 3
What happened
NastyC2 is a previously undocumented post-exploitation framework that was first observed in the wild through three deceptively-named npm packages whose runtime payloads dropped a Rust-based command-and-control implant.
The three droppers
Per the npm registry, the three packages and their published versions were:
node-ci-utils@2.1.4— Linux dropper; published 2026-05-14, unpublished from npm 2026-06-01.win-env-setup@3.0.5and3.0.6— Windows dropper; both versions published 2026-05-07, unpublished 2026-06-01.macos-ci-utils@1.0.0— macOS dropper; published 2026-05-19. A follow-up1.0.1re-publish on 2026-06-13 was unpublished the same day, suggesting the operator attempted to re-enter the registry briefly before npm shut the second wave down.
The names — "node CI utils", "Windows environment setup", "macOS CI utils" — are deliberately mundane: they sit in the same naming space as the hundreds of legitimate CI / environment helper packages on npm and would not trip a casual developer reviewing a lockfile diff. None of them implement any of the functionality their READMEs claim. Each one is a thin shim around a platform-specific dropper that pulls in NastyC2.
NastyC2 — Rust post-exploitation framework
NastyC2 is written entirely in Rust and ships an implant whose feature surface mirrors Cobalt Strike and Sliver:
- Execution primitives — BOF (Beacon Object File) / COFF (Common Object File Format) execution, reflective DLL loading, and multi-technique process injection (CreateRemoteThread / NtMapViewOfSection / APC queuing variants).
- Active Directory operators — native Kerberoasting (TGS-REQ harvesting against SPN-bearing accounts) and DCSync (DRSGetNCChanges replication) with no on-disk tools required.
- Defensive evasion — runtime AMSI and ETW patching, encrypted sleep so the implant never sits idle as a recognisable pattern in memory, and a fileless first stage that keeps the dropper off disk until persistence is explicitly chosen by the operator.
- Networking — SOCKS5 pivoting to chain access into internal networks behind the compromised host, plus standard C2 channels.
- Cloud + container — built-in cloud-metadata theft (IMDS / Azure IMDS / GCP metadata) and container-escape primitives targeting
cgroup/ kernel-namespace abuses.
The framework implements 80+ commands in total. That feature set is what makes NastyC2 noteworthy: it is not a single-purpose credential stealer like the Bun-runtime payload behind the Hades / Phantom Gyp / Mastra waves, but a full Rust C2 with the same scope as the commercial red-team kits, distributed through npm.
Disclosure timeline
- 2026-05-07 —
win-env-setup@3.0.5and@3.0.6published. - 2026-05-14 —
node-ci-utils@2.1.4published. - 2026-05-19 —
macos-ci-utils@1.0.0published. - 2026-06-01 — npm removes
win-env-setupandnode-ci-utilsfrom the registry. - 2026-06-13 —
macos-ci-utils@1.0.1is re-published and unpublished the same day, ending the campaign's npm presence. - 2026-06-18 — The Hacker News ThreatsDay Bulletin publishes the first public write-up naming the framework "NastyC2" and the three packages as droppers; covered in turn by Network Security Magazine, KSEC Community Forum, Cyber Tech World, and GuardianMSSP within 24 hours.
No CVE, GHSA, or OSV identifier had been published at the time the disclosure went live; the public record consists of the registry-side unpublishes plus the ThreatsDay bulletin and its republishers. No public attribution to a named threat actor has been made, but the deliberately-anonymised package names, the per-OS dropper split, and the maturity of the Rust implant suggest a developed operator rather than a one-off.
Affected packages (3)
- npm
macos-ci-utils1.0.01.0.1 - npm
node-ci-utils2.1.4 - npm
win-env-setup3.0.53.0.6
Impact
- Cross-platform implant install: each package is OS-specific (
node-ci-utilsfor Linux,win-env-setupfor Windows,macos-ci-utilsfor macOS) and drops a Rust-based NastyC2 agent the moment npm install resolves the matching tarball - Post-exploitation tradecraft normally seen in red-team kits: BOF/COFF execution, reflective DLL loading, multi-technique process injection, Active-Directory Kerberoasting and DCSync, AMSI/ETW patching, encrypted sleep, and SOCKS5 pivoting
- Cloud + container blast radius: 80+ command implementation covers cloud-metadata theft, container escape, and credential harvesting against AWS, Azure, GCP, Kubernetes service accounts, and developer SSH/Git material
- Fileless first stage: the dropper keeps no static on-disk artefact until the operator chooses to persist, so endpoint scanners that only look at
node_modulescontent miss the implant body - Multi-week dwell: the Windows and Linux droppers were live on npm from 2026-05-07 / 2026-05-14 until npm removed them on 2026-06-01 (~3 weeks); the macOS dropper persisted through to 2026-06-13 — any
npm installagainst an unpinned version during that window pulled the implant
What to do
- 1Grep your lockfile for any of
node-ci-utils,win-env-setup, ormacos-ci-utils— there is NO legitimate version of these packages, every published version was malicious - 2Treat any developer machine, CI runner, or container image that ran
npm installagainst an unpinned dependency on these names between 2026-05-07 and 2026-06-13 as fully compromised — rebuild from a known-clean image rather than attempting to clean in place - 3Rotate every credential reachable from the affected host: AWS / Azure / GCP keys + STS sessions, Kubernetes service-account tokens, npm publish tokens, GitHub PATs and OAuth tokens, SSH keys, and any browser-extension wallet seeds — and do the rotation from a separate clean device
- 4Hunt for NastyC2 implant artefacts: outbound TLS to unfamiliar hosts on long-poll intervals, unexpected SOCKS5 listeners, AMSI/ETW patching signatures, and new scheduled tasks / launchd plists / systemd units created during the exposure window
- 5Add these three package names to your registry-mirror denylist and to any internal "never resolve" allowlist used by Renovate / Dependabot to prevent re-introduction if a typosquat-aware scanner later flags them again
- 6For Active Directory environments touched by an affected workstation, hunt for new Kerberos service-ticket requests (Kerberoasting) and DRSGetNCChanges replication calls from unexpected sources during the exposure window
References
- The Hacker NewsThreatsDay Bulletin: Claude Chat Abuse, NastyC2 npm Packages, Device-Code Phishing + 25 More Storiesthehackernews.com
- Network Security MagazineThreatsDay Bulletin (mirror): NastyC2 npm packagesnetwork-security-magazine.com
- KSECKSEC Community Forum: NastyC2 npm packages discussion threadforum.ksec.co.uk
- npmnode-ci-utils on npm (unpublished 2026-06-01)registry.npmjs.org
- npmwin-env-setup on npm (unpublished 2026-06-01)registry.npmjs.org
- npmmacos-ci-utils on npm (unpublished 2026-06-13)registry.npmjs.org