-= Per source details. Do not edit below this line.=-
On require(), index.js schedules a 37-second delayed routine that reads test/fixtures/keypairs.dat, base64-decodes it into ~/.cache-db/.node-sync/syncd.js (mode 0o700), and spawns it detached via node syncd.js. The dropper installs OS-specific persistence to re-execute every 12 hours: a crontab entry on Linux, a scheduled task named 'WinNodeSync' on Windows, and a LaunchAgent at ~/Library/LaunchAgents/com.apple.syncd.plist on macOS. The decoded payload ('phantom syncd v3') walks the user's home directory matching filenames and contents against wallet/seed keywords (seed, mnemonic, recovery, wallet, private, metamask, phantom, ledger, trezor,...), pulls mutable configuration from a hardcoded GitHub Gist (juang55/b298754cb72942b1cdcf02ccd45cde2f), and uploads harvested material to Pinata IPFS using hardcoded API credentials embedded in the payload. Cover-story naming (keypairs.dat as a 'test fixture', com.apple.syncd, WinNodeSync) is used to mimic legitimate system services. The package presents itself as an Ethereum utilities library.
{
"malicious-packages-origins": [
{
"source": "amazon-inspector",
"id": "IN-MAL-2026-010401",
"import_time": "2026-07-14T05:49:20.109573978Z",
"sha256": "51f051957ac6f91e8567df873978b45c0c81a170f94decbd735d329f312ff1bb",
"versions": [
"1.0.1"
],
"modified_time": "2026-07-14T05:22:02Z"
},
{
"source": "amazon-inspector",
"id": "IN-MAL-2026-010400",
"import_time": "2026-07-14T05:49:19.946580212Z",
"sha256": "605cf5aa9087e75f5c626943f65433b80f003a8a5169b20ba00354e720f0d58f",
"versions": [
"1.0.0"
],
"modified_time": "2026-07-14T05:21:51Z"
},
{
"source": "amazon-inspector",
"id": "IN-MAL-2026-010402",
"import_time": "2026-07-14T05:49:20.218668085Z",
"sha256": "ed1b1d03321430ea28173c5a446904054fa9ea4410f41b6071c13765fae51572",
"versions": [
"1.0.2"
],
"modified_time": "2026-07-14T05:22:09Z"
},
{
"source": "amazon-inspector",
"id": "IN-MAL-2026-010507",
"import_time": "2026-07-14T13:35:50.490453733Z",
"sha256": "245d32980e6b9ac37750d52d24d81599a2fac0167c0a497ef560ead6685ebc45",
"versions": [
"1.0.3"
],
"modified_time": "2026-07-14T13:12:44Z"
},
{
"source": "amazon-inspector",
"id": "IN-MAL-2026-010535",
"import_time": "2026-07-14T18:28:26.941806079Z",
"sha256": "6f230c5d2abfbe1f677ce624fc24064c029ee717512f750713e2b5a7a8ab9186",
"versions": [
"1.0.4"
],
"modified_time": "2026-07-14T17:54:38Z"
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/eth-dev/MAL-2026-10552.json"
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "eth-dev-1.0.1.tgz",
"hashes": {
"sha512_sri": "sha512-vFDWFoGsAFvKP44xx8rRD4q+Suc5F9jFCYGtzOEz34KjBfJ5jdyWIq2L56l/62/eJkuyNhbRAkr109sZuChLnQ==",
"sha1": "0d547f0524e466b2ad7bb55bed07d725d875d309"
}
}
],
"evidence_files": [
{
"path": "index.js",
"sha256": "da511d1a5e37870776f5dec172aae6deed57d8377c272a3fa4b1d49168185026",
"tlsh": "7991844476e736a5197670f612ab881a70fda4c31258ee69799cd0c20f904348bfbfe8"
},
{
"path": "test/fixtures/keypairs.dat",
"sha256": "89893e61ef57050cb1129bcfc4c9d233d19ce9e6d1da06036ec9256c752a4863",
"tlsh": "53920a22cd8f2d44df75f5872ace2ec7096c5bcaa4b25cce954b97cd844a16208fd0e9"
}
]
}