-= Per source details. Do not edit below this line.=-
At npm install time the preinstall script (dist/index.min.js) reads installer-owned secrets — ~/.ssh/idrsa, ~/.env, ~/.env.local, ~/.wallet.json — and iterates process.env for keys matching PRIVATE*, MNEMONIC*, and SECRET*. Extracted content is scanned for 64-hex and WIF private keys and posted, along with the installer's hostname and username, to https://api.telegram.org/bot<redacted>/sendMessage using a hardcoded bot token. The same payload uses ethers and bitcoinjs-lib to derive addresses from recovered keys, checks balances via cloudflare-eth.com and blockchain.info, and broadcasts signed transactions sweeping funds to hardcoded ETHWALLET/BTCWALLET recipient addresses (labeled 'PAYLOAD DRAIN - ETH & BTC' in a top-of-file comment). A binding.gyp file additionally uses GYP command expansion (<!(node -e "require('./dist/index.min.js')...")) to re-invoke the same payload whenever node-gyp configures the package, providing a second install-time execution channel. The package name mimics legitimate Web3 helper libraries, package.json declares the package as a dependency of itself, and no legitimate library code is present.
{
"malicious-packages-origins": [
{
"source": "amazon-inspector",
"id": "IN-MAL-2026-010550",
"import_time": "2026-07-14T20:28:24.121846246Z",
"sha256": "673acc92b18aa385701afe25bcb0d4da048befdd8143598ba554b62636933464",
"versions": [
"1.0.2"
],
"modified_time": "2026-07-14T19:48:49Z"
},
{
"source": "amazon-inspector",
"id": "IN-MAL-2026-010559",
"import_time": "2026-07-14T20:28:24.560327048Z",
"sha256": "802fa1bdc8bbd31952bbde5adc7a537674a5d1e73f36c1030d6ebda0b364e0bc",
"versions": [
"1.0.1"
],
"modified_time": "2026-07-14T20:11:09Z"
},
{
"id": "IN-MAL-2026-010552",
"source": "amazon-inspector",
"import_time": "2026-07-14T20:28:24.193992861Z",
"sha256": "9d5230cf08adcdf1d9108129f5c80e569b74774b7f2cb5e55aeb60be8d737225",
"versions": [
"1.0.5"
],
"modified_time": "2026-07-14T19:49:05Z"
},
{
"id": "IN-MAL-2026-010549",
"source": "amazon-inspector",
"import_time": "2026-07-14T20:28:24.074848122Z",
"sha256": "bb43f9d9c5d297e5acc040dcc52ec91e44312af87b70777cdd438ae5107c795c",
"versions": [
"1.0.3"
],
"modified_time": "2026-07-14T19:48:36Z"
},
{
"source": "amazon-inspector",
"id": "IN-MAL-2026-010556",
"import_time": "2026-07-14T20:28:24.425490349Z",
"sha256": "c619fef9a5f0e633c0649958f00fb9754e372df8025a0a20472911eb7364421d",
"versions": [
"1.0.0"
],
"modified_time": "2026-07-14T19:53:56Z"
},
{
"id": "IN-MAL-2026-010551",
"source": "amazon-inspector",
"import_time": "2026-07-14T20:28:24.154291607Z",
"sha256": "e4a7081cede1c6330f3f5fef7baba3590b652557f995cf35ad724cc24e0593d3",
"versions": [
"1.0.4"
],
"modified_time": "2026-07-14T19:48:56Z"
},
{
"source": "amazon-inspector",
"id": "IN-MAL-2026-010558",
"import_time": "2026-07-14T20:28:24.501944697Z",
"sha256": "7963f106618c7defa2e9704d7a1fd372c50bb733f7a7aaab92ffc284f5b2eb11",
"versions": [
"1.0.6"
],
"modified_time": "2026-07-14T20:10:57Z"
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@web3-helpers/core/MAL-2026-10611.json"
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
}
]
{
"package_integrity": [
{
"filename": "core-1.0.2.tgz",
"hashes": {
"sha512_sri": "sha512-5GMq9RlpyT2ecbH4VQH5JdaMnf9RNYiJOFp7QAlU6wtOkvdcI2iIibAWKXWhcZmmUUPSK3hHWhhHnmtVTugoJw==",
"sha1": "cc5111851ba81261477dde83d886b04bdd7d349d"
}
}
],
"evidence_files": [
{
"path": "dist/index.min.js",
"sha256": "bb830442e64d60f45eea0231dd38957f9750557bc39a9f1d109f88c67a69b245",
"tlsh": "e6f1d85c8f8b1d4dcb58d46260df29ea065f17db30b315ff442be7da16b8052a4c82e8"
}
]
}