-= Per source details. Do not edit below this line.=-
Package name typosquats the popular 'ethers' library. package.json declares a postinstall pointing at dist/index.min.js, whose sole top-level statement is eval(Buffer.from('<base64>','base64').toString()). The decoded payload enumerates installer secrets (env vars including PRIVATEKEY, MNEMONIC, AWSSECRETACCESSKEY, GITHUBTOKEN, NPMTOKEN; files including.env, ~/.aws/credentials, ~/.ssh/idrsa, ~/.npmrc, wallet.json, keystore.json, seed.txt) and POSTs them to a hardcoded Telegram bot endpoint at api.telegram.org. Any 64-hex or WIF private key recovered is loaded into an ethers.Wallet, balance-checked against cloudflare-eth.com, and drained via sendTransaction to hardcoded attacker ETH/BTC addresses (ETH 0x72bC6c85847136..., BTC bc1qvg0vmlxf2ly248my69r2k6zut8s4q93j9mqvtf); BTC transactions are pushed via blockchain.info/pushtx. Persistence is established by appending 'node /tmp/sys-core.js &' to ~/.bashrc, ~/.zshrc, and ~/.profile, writing ~/.config/autostart/sys-core.desktop, and dropping /tmp/sys-core.js, which polls an attacker webhook via childprocess.exec. A companion config/attacker-config.json ships the attacker's Telegram bot token, chat_id, wallet destinations, and target secret path/env-var list.
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-14T12:55:50Z",
"versions": [
"6.13.7"
],
"source": "amazon-inspector",
"id": "IN-MAL-2026-010503",
"sha256": "c45244535e6a0091daf7b425d3d8c5040f26b487db54fdae84efc63a17fbf76d",
"import_time": "2026-07-14T13:35:49.813639239Z"
},
{
"sha256": "3959190c7c321e0d6f512b89b3c54a6399f3e6f7daecd0563ff753a6a6fed2f5",
"versions": [
"6.13.5"
],
"source": "amazon-inspector",
"id": "IN-MAL-2026-010590",
"modified_time": "2026-07-15T00:55:11Z",
"import_time": "2026-07-15T01:37:34.782555096Z"
}
]
}[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
{
"package_integrity": [
{
"filename": "ethers-core-6.13.7.tgz",
"hashes": {
"sha512_sri": "sha512-4IwhvXP0eaevv+UK1Y4hQg0IzVTSCgoZyaETPZPpNe3C0Glonn7o1am5vVAQvxlwtjgTkufvZ7l1rRF/BMubiQ==",
"sha1": "6b8e3dba069b6e22ddd0aa7a022ac34d9c60f0af"
}
}
],
"evidence_files": [
{
"path": "dist/index.min.js",
"sha256": "9a6590abaabeb87db1c3ae369b7ffc09e305973a33a5e961da841c06cb8af780",
"tlsh": "e3f175d61bf71530027731d89b1f6141a527f18bb20ddce9badc82216f0b92899e2ecc"
},
{
"path": "package.json",
"sha256": "4270c637bb5b6a1c4e7644abc34f507cd85facb49f378711f7ac381228092209",
"tlsh": "a4f04629d924df6319ec2f801c2c214679716d0b95d4bc1d279b050e9b4f7bf11be2ae"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ethers-core/MAL-2026-10580.json"