-= Per source details. Do not edit below this line.=-
This package is a dependency-chain dropper. package.json declares 15 undocumented dependencies in three numbered families (web3chain02032*, rusttool0701*, btc202523*) pinned to ^1.1.1, none of which appear in the README that describes a standalone Go miner. The bundled tranpack.sh proves the campaign: an infinite loop that rewrites package.json's name from a ~500-word crypto/DeFi wordlist and runs npm publish, and the current name 3pool-sushibar is an output of that generator. The package itself is non-functional — the declared main entry index.js does not exist — confirming that its only purpose is to pull in attacker-controlled siblings. Two undocumented 22MB Windows.exe binaries with mismatched hashes further contradict the README's source-only build story. Running npm install 3pool-sushibar fetches 15 attacker-controlled packages whose code is one hop away from inspection here; this is direct installer harm via namespace-abuse plus typosquat lure.
{
"malicious-packages-origins": [
{
"versions": [
"1.0.0"
],
"id": "IN-MAL-2026-002166",
"modified_time": "2026-05-12T19:03:07Z",
"import_time": "2026-05-13T20:10:52.155142725Z",
"sha256": "5112bb2ea3570e56be6525c48ef026624f46dead693e78333696273c911c6c42",
"source": "amazon-inspector"
}
]
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/3pool-sushibar/MAL-2026-3673.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
{
"package_integrity": [
{
"filename": "3pool-sushibar-1.0.0.tgz",
"hashes": {
"sha1": "0643af94cdd04282527e983bb73a8201c3195b68",
"sha512_sri": "sha512-2gWpEcrZ1+7FlPh0r3MN3tz2dKxCjYZatJyM/zcA3PXTDO8+sWlUvT6wi0l3VrKvFsOhF5Ma3Df6po0IhyLuUA=="
}
}
],
"evidence_files": [
{
"path": "package.json",
"sha256": "c4378a5c3df23278db5252054add3d6a525f98fd747f5c1ee56a7415c4fd084c",
"tlsh": "741103a1cf26cab30e9d25dc855d002df2618a278845f81d37d7564ccb1e6ab71b817d"
},
{
"path": "tranpack.sh",
"sha256": "73def82b6c52b14bd664007f99f7f469efd809fe99bc5297a77d17674e75459d",
"tlsh": "8ed12f32f6414c3486ea03ee49650956f385c28bc389107cff4bbb8cab6ef5ad956614"
},
{
"path": "powerc20.exe",
"sha256": "3dbe880f08a8c880bdf647e11826acdc58198cd54a55b8c22402118b80c67423",
"tlsh": "52273a42f65049eacaa98674c9aa4385b770fc405f26a7c72b05f63c3c737d89eb8354"
}
]
}