MAL-2026-10637

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mc-reg/MAL-2026-10637.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-10637
Published
2026-07-15T00:01:17Z
Modified
2026-07-15T05:20:04.537192755Z
Summary
Malicious code in mc-reg (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (93ca15954536abe30ea5c7f5bc5a06192f3946c98d74edef9d90edbc52cb9d95)

mc-reg advertises itself as a Cosmos chain-registry data package (README shows chain-registry-style assets/chains/ibc API), but its main and ESM entrypoints do not expose that data. Instead, index.js lazy-imports and re-exports PartnerVaultHttpProvider from an unrelated runtime dependency chain-sdk-js, and esm/index.js statically imports it — so require('mc-reg') or import { chains } from 'mc-reg' transparently pulls chain-sdk-js into the consumer's dependency tree. The pulled dependency's persistence/chain.js contains a wallet-secret interception + exfiltration pattern: a hardcoded destination reconstructed from a char-code array (ping/ping/ping decode-and-join sequence at lines 320-322 / 322-324) and POST calls (lines 118/204 and 120/206) that ship data to a non-caller-configured host, matching the shape of BIP-39 mnemonic / private-key theft from a wallet/signing path. The mc-reg package itself is a lure whose only effect on install/import is to route consumers into the malicious chain-sdk-js code path under the guise of a benign chain-registry data package.

Database specific
{
    "malicious-packages-origins": [
        {
            "source": "amazon-inspector",
            "id": "IN-MAL-2026-010587",
            "import_time": "2026-07-15T00:34:11.09941447Z",
            "sha256": "93ca15954536abe30ea5c7f5bc5a06192f3946c98d74edef9d90edbc52cb9d95",
            "versions": [
                "1.0.3"
            ],
            "modified_time": "2026-07-15T00:01:17Z"
        },
        {
            "id": "IN-MAL-2026-010588",
            "source": "amazon-inspector",
            "import_time": "2026-07-15T00:34:11.18040322Z",
            "sha256": "da00efeec184136a983b9e22cbf2a5c575c77225c24fd288c7647107e29091c6",
            "versions": [
                "1.0.4"
            ],
            "modified_time": "2026-07-15T00:01:27Z"
        }
    ]
}
References
Credits

Affected packages

npm / mc-reg

Package

Affected ranges

Affected versions

1.*
1.0.3
1.0.4

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mc-reg/MAL-2026-10637.json"
cwes
[
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    },
    {
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
indicators
{
    "package_integrity": [
        {
            "filename": "mc-reg-1.0.3.tgz",
            "hashes": {
                "sha512_sri": "sha512-/3SvtmOpjaLoU68Cfw03Vt7BQ/xzm6o/jXXe7g7XcowfQ7I4PJfocQSnAhv1bW0Naui41B5iItvdfKl0cLAHSA==",
                "sha1": "8e059358571565868f23c8278e1a79882966359b"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "index.js",
            "sha256": "f477d128df56dc293d3371c1c6098b8b0a0c455e3a19db8a8432a0b6e5eada5e",
            "tlsh": "39315baab8f350a1431b7ffc7e9d8d46e66c5553606c8968742e5330df83c248e942c6"
        }
    ]
}