-= Per source details. Do not edit below this line.=-
bandkit ships a React component (BandPanel) that, when rendered without an explicit strategyWalletAddress prop — the configuration shown in the package's own README — deploys a BandStrategy.sol contract with an immutable strategyWallet pulled from dist/defaultStrategyWallet.js. That file stores a 20-byte Ethereum address as cipher XOR key (two Uint8Array literals in the same file) which decodes to 0xe9e41c03d5b0b6fb543f4cd1cd8ad81ece4c830f. dist/useStrategyContractDeployment.js wires this in via args: [options.strategyWalletAddress?? getDefaultStrategyWallet()]. When end users of the installer's UI click 'Start Bot', BandStrategy.activateStrategyEngine() executes (bool ok, ) = strategyWallet.call{value: amount}(""), irrevocably transferring the depositor's entire ETH balance to the hardcoded address. The defaultStrategyWallet.js file even contains a header comment describing the XOR layer as 'cosmetic obfuscation... friction against casual npm-source scrapers', while the README explicitly states 'The package contains no hardcoded wallet addresses' and 'No hidden destinations'. The combination of (a) a default-recipient address embedded in the package, (b) deliberate obfuscation acknowledged in-source, and (c) a README that denies the address's existence is a silent-relay payload: a developer who follows the README ships a fund-stealing dApp to their own users. Installer harm: the installer publishes a UI that funnels its users' deposits to the package author.
{
"malicious-packages-origins": [
{
"versions": [
"1.0.7"
],
"sha256": "328d601aed275e0122f2d0be8b7c5b76b920aa0af6aa57e7bd64ab540a0c0db3",
"modified_time": "2026-05-25T23:10:12Z",
"source": "amazon-inspector",
"import_time": "2026-05-26T05:53:17.712082388Z",
"id": "IN-MAL-2026-004795"
},
{
"versions": [
"1.0.9"
],
"sha256": "f17eed05248e00e40ac995b4a723da03f1e854a1445b2d99c6a52507511d3795",
"modified_time": "2026-05-25T23:33:05Z",
"source": "amazon-inspector",
"import_time": "2026-05-26T05:53:18.284819359Z",
"id": "IN-MAL-2026-004800"
},
{
"versions": [
"1.0.9"
],
"sha256": "6d7546959efc9cf15944286e0fe5cce44965113def72bea55866d8a130937f89",
"modified_time": "2026-05-25T23:33:05Z",
"source": "amazon-inspector",
"import_time": "2026-05-26T05:53:18.145850241Z",
"id": "IN-MAL-2026-004799"
},
{
"versions": [
"1.0.7"
],
"sha256": "f1341a067075e690ff81c24889d925809a5c29a1a402ebfadaaf8b5f36331c9f",
"modified_time": "2026-05-25T23:10:12Z",
"source": "amazon-inspector",
"id": "IN-MAL-2026-004794",
"import_time": "2026-05-26T05:53:17.610898565Z"
},
{
"versions": [
"1.0.10"
],
"sha256": "c2586b0e7114265fe8e85fee87db4b264f1dce9a574916b333af41870369e44a",
"modified_time": "2026-05-26T11:26:08Z",
"source": "amazon-inspector",
"import_time": "2026-05-26T13:32:46.375461088Z",
"id": "IN-MAL-2026-004902"
},
{
"versions": [
"1.0.10"
],
"sha256": "8d03553469ab55441dd89101f56b8872adee9194c6390b76e77f58b662de46dc",
"modified_time": "2026-05-26T11:26:10Z",
"source": "amazon-inspector",
"import_time": "2026-05-26T13:32:46.433733788Z",
"id": "IN-MAL-2026-004903"
},
{
"versions": [
"1.0.11"
],
"sha256": "018a4cd7e1cf6b632a8d58acdbfc15f48dffb0428a71638b2d040152260e13cf",
"modified_time": "2026-05-26T14:32:19Z",
"source": "amazon-inspector",
"import_time": "2026-05-26T15:07:42.690325968Z",
"id": "IN-MAL-2026-004918"
},
{
"versions": [
"1.0.11"
],
"sha256": "c12036b3e8a5f609179a8f9a6109178d5cd21a40493140d54324c5e499912c07",
"modified_time": "2026-05-26T14:32:15Z",
"source": "amazon-inspector",
"import_time": "2026-05-26T15:07:42.5614868Z",
"id": "IN-MAL-2026-004917"
},
{
"versions": [
"1.0.16"
],
"sha256": "687dcebaf30461a2325de226851b84abfb6db6359a12c9392ece9c5ff02a620d",
"modified_time": "2026-06-12T19:11:15Z",
"source": "amazon-inspector",
"import_time": "2026-06-12T19:44:19.766645641Z",
"id": "IN-MAL-2026-006205"
},
{
"versions": [
"1.0.14"
],
"sha256": "ea0489597e99751b2d16ab93eb3f71a05c62b282f723c27aa2043808f7b99464",
"source": "amazon-inspector",
"modified_time": "2026-06-12T19:11:13Z",
"import_time": "2026-06-12T19:44:19.665072182Z",
"id": "IN-MAL-2026-006204"
}
]
}{
"package_integrity": [
{
"filename": "bandkit-1.0.9.tgz",
"hashes": {
"sha512_sri": "sha512-kksnEC+wcyf9moju5KAQhcIZdvwy0Z0xR9dV0uDS4EW3ihlAePKJ8iFsG3B7yzHp0HvR3qHDLIk6a5eqQwvHtQ==",
"sha1": "42528be918cdb17e13b6f9a41e609d90ed36399e"
}
}
],
"evidence_files": [
{
"sha256": "666411bb4696a85222f502e377c61ab6fe5d845be70cc092cdcf5df87de98b3d",
"path": "dist/useStrategyContractDeployment.js",
"tlsh": "a5222c94b2f3530a4ca36479064fd1147d227e07710dc9513bbc9b229fd84a5caebbe9"
},
{
"sha256": "d1620d87aff5eb6b9e44d319033008454d3e9bbd70d8cbd6061bf96dfd970884",
"path": "dist/defaultStrategyWallet.js",
"tlsh": "9c311f0a3f905af2008bc1ab468d41e3ea8a28d3b61958dcb05e45149f6183dc5feed7"
}
],
"domains": [
"pkg.pr.new"
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/bandkit/MAL-2026-4496.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]