MAL-2026-10552

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/eth-dev/MAL-2026-10552.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10552
Published
2026-07-14T05:21:51Z
Modified
2026-07-14T18:49:33.902190601Z
Summary
Malicious code in eth-dev (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (51f051957ac6f91e8567df873978b45c0c81a170f94decbd735d329f312ff1bb)

On require(), index.js schedules a 37-second delayed routine that reads test/fixtures/keypairs.dat, base64-decodes it into ~/.cache-db/.node-sync/syncd.js (mode 0o700), and spawns it detached via node syncd.js. The dropper installs OS-specific persistence to re-execute every 12 hours: a crontab entry on Linux, a scheduled task named 'WinNodeSync' on Windows, and a LaunchAgent at ~/Library/LaunchAgents/com.apple.syncd.plist on macOS. The decoded payload ('phantom syncd v3') walks the user's home directory matching filenames and contents against wallet/seed keywords (seed, mnemonic, recovery, wallet, private, metamask, phantom, ledger, trezor,...), pulls mutable configuration from a hardcoded GitHub Gist (juang55/b298754cb72942b1cdcf02ccd45cde2f), and uploads harvested material to Pinata IPFS using hardcoded API credentials embedded in the payload. Cover-story naming (keypairs.dat as a 'test fixture', com.apple.syncd, WinNodeSync) is used to mimic legitimate system services. The package presents itself as an Ethereum utilities library.

Database specific
{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010401",
            "import_time": "2026-07-14T05:49:20.109573978Z",
            "sha256": "51f051957ac6f91e8567df873978b45c0c81a170f94decbd735d329f312ff1bb",
            "versions": [
                "1.0.1"
            ],
            "modified_time": "2026-07-14T05:22:02Z"
        },
        {
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010400",
            "import_time": "2026-07-14T05:49:19.946580212Z",
            "sha256": "605cf5aa9087e75f5c626943f65433b80f003a8a5169b20ba00354e720f0d58f",
            "versions": [
                "1.0.0"
            ],
            "modified_time": "2026-07-14T05:21:51Z"
        },
        {
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010402",
            "import_time": "2026-07-14T05:49:20.218668085Z",
            "sha256": "ed1b1d03321430ea28173c5a446904054fa9ea4410f41b6071c13765fae51572",
            "versions": [
                "1.0.2"
            ],
            "modified_time": "2026-07-14T05:22:09Z"
        },
        {
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010507",
            "import_time": "2026-07-14T13:35:50.490453733Z",
            "sha256": "245d32980e6b9ac37750d52d24d81599a2fac0167c0a497ef560ead6685ebc45",
            "versions": [
                "1.0.3"
            ],
            "modified_time": "2026-07-14T13:12:44Z"
        },
        {
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010535",
            "import_time": "2026-07-14T18:28:26.941806079Z",
            "sha256": "6f230c5d2abfbe1f677ce624fc24064c029ee717512f750713e2b5a7a8ab9186",
            "versions": [
                "1.0.4"
            ],
            "modified_time": "2026-07-14T17:54:38Z"
        }
    ]
}
References
Credits

Affected packages

npm / eth-dev

Package

Affected ranges

Affected versions

1.*
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/eth-dev/MAL-2026-10552.json"
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "eth-dev-1.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-vFDWFoGsAFvKP44xx8rRD4q+Suc5F9jFCYGtzOEz34KjBfJ5jdyWIq2L56l/62/eJkuyNhbRAkr109sZuChLnQ==",
                "sha1": "0d547f0524e466b2ad7bb55bed07d725d875d309"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "index.js",
            "sha256": "da511d1a5e37870776f5dec172aae6deed57d8377c272a3fa4b1d49168185026",
            "tlsh": "7991844476e736a5197670f612ab881a70fda4c31258ee69799cd0c20f904348bfbfe8"
        },
        {
            "path": "test/fixtures/keypairs.dat",
            "sha256": "89893e61ef57050cb1129bcfc4c9d233d19ce9e6d1da06036ec9256c752a4863",
            "tlsh": "53920a22cd8f2d44df75f5872ace2ec7096c5bcaa4b25cce954b97cd844a16208fd0e9"
        }
    ]
}