MAL-2026-10413

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/eth-base/MAL-2026-10413.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10413
Published
2026-07-13T06:51:45Z
Modified
2026-07-13T07:47:02.301212494Z
Summary
Malicious code in eth-base (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (bcc98bc680f3d0b8c6dcf396d9f2425a5153658259014384cedf82698413755b)

The published lib/index.js contains ~60KB of obfuscated JavaScript appended after a copy of the legitimate web3.js web3-core-subscriptions module. On require(), the appended IIFE loads axios, issues an HTTPS request to a URL reconstructed at runtime from custom base-85 alphabets, and on a specific response constructs new Function('require', <remote-token>)(require) to execute attacker-supplied JavaScript in-process with full Node require access. The corresponding src/index.js is the clean upstream module, indicating the payload was injected only into the shipped build. The package name and description impersonate a web3.js helper (LGPL header still credits Fabian Vogelsteller fabian@ethereum.org) while the repository field is empty. Consumers who require this package receive arbitrary code execution on the installing host at load time.

Database specific
{
    "malicious-packages-origins": [
        {
            "sha256": "bcc98bc680f3d0b8c6dcf396d9f2425a5153658259014384cedf82698413755b",
            "id": "IN-MAL-2026-009837",
            "import_time": "2026-07-13T07:40:12.175169146Z",
            "modified_time": "2026-07-13T06:51:45Z",
            "versions": [
                "1.0.0"
            ],
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / eth-base

Package

Affected ranges

Affected versions

1.*
1.0.0

Database specific

indicators
{
    "evidence_files": [
        {
            "tlsh": "54638a4a59c7b017aa8091d9d8c4a1c5b692293bff8f391cfd44a24eef47d80d2fb095",
            "sha256": "e10aff66d009d9c112131880ed749fd55105931698bf60005f7a69bb3201cbcd",
            "path": "lib/index.js"
        },
        {
            "sha256": "6e929f6afa0314788a5da0d125dd1f88ac530fea0cd31c9c6ae62ed4bf73a142",
            "tlsh": "43016d38c8655cb305de62a6fc99454292b5520f0d18bc48339c62ac4f6d1df54fe79e",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "eth-base-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-jiqLppgvoS7DKPtqxSqitcN5X8heh9/KsY9jRd8HJsjEl+3uWn8q1cWmjcMUxWj3286K1nP/2G688IE+tgeMmg==",
                "sha1": "12e2dc0a3c9d53fb5bef37f3dde4d49ec1ece92d"
            }
        }
    ]
}
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/eth-base/MAL-2026-10413.json"