npm Package Deploys Python Stealer Targeting 100+ Crypto Wallets
At 08:46 UTC on January 23rd, 2026, our malware detection system flagged a package called ansi-universal-ui. The name sounds like a boring UI component library. The description even says it’s “a lightweight, modular UI component system for modern web applications.” Very professional. Very normal. Except it’s not.
What we found is a sophisticated multi-stage infostealer that downloads its own Python runtime, executes a heavily obfuscated payload, and exfiltrates your browser credentials, cryptocurrency wallets, cloud credentials, and Discord tokens to an Appwrite storage bucket. It also carries an embedded Windows DLL that gets injected into browser processes using NT native APIs. The malware calls itself “G_Wagon” internally, presumably…
