MAL-2026-10571

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wrenfield/viem/MAL-2026-10571.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10571
Published
2026-07-14T06:17:33Z
Modified
2026-07-14T07:19:24.744677483Z
Summary
Malicious code in @wrenfield/viem (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (fa26048a977a00adcd1ffc42ccf06110e3807bb2a3145a01fd01318dcfe79771)

Package @wrenfield/viem impersonates the popular viem library (homepage viem.sh, repo wevm/viem); README and authors fields credit the real viem maintainers but the package itself is published under an unrelated @wrenfield scope. The shipped source under _cjs/ mirrors viem's real code, but package.json rewrites the abitype dependency via npm alias: "abitype": "npm:@wrenfield/abitype@1.2.4". The CommonJS entry _cjs/index.js calls require("abitype") at module load, so any installer who require()s or imports @wrenfield/viem transitively pulls and executes code from @wrenfield/abitype@1.2.4 — a separate package under the same attacker-controlled scope, outside this tarball. The combination of brand impersonation of a top npm package plus a silent dependency redirect to an attacker-controlled namespace is the namespace-abuse / dependency-hijack pattern: the lure package looks legitimate on inspection, while the actual payload is delivered through the redirected dependency at first import.

Database specific
{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "sha256": "fa26048a977a00adcd1ffc42ccf06110e3807bb2a3145a01fd01318dcfe79771",
            "id": "IN-MAL-2026-010485",
            "import_time": "2026-07-14T06:49:57.129957893Z",
            "modified_time": "2026-07-14T06:17:33Z",
            "versions": [
                "2.53.4"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / @wrenfield/viem

Package

Name
@wrenfield/viem
View open source insights on deps.dev
Purl
pkg:npm/%40wrenfield/viem

Affected ranges

Affected versions

2.*
2.53.4

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@wrenfield/viem/MAL-2026-10571.json"
cwes
[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "viem-2.53.4.tgz",
            "hashes": {
                "sha512_sri": "sha512-go+1CFenlU6sWh/e8Xa5CuE98k8q/L9DsDR7OKy/4qNxmjXrAboses7tdX7mHYO5bANFO+zMlTGRyo7M8yKtPA==",
                "sha1": "0a34fa743fad354d6b7f8e1eee8b6ef05df19aef"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "package.json",
            "sha256": "8b462fed2b4fef789f286a79723b172bc028feaa1315cb9f174e87cf15335e3f",
            "tlsh": "cde1af12d0e81ea31186b724eb5aaa56a0b24053cd647c9433ed403d8f9d99f43ffb5e"
        }
    ]
}