MAL-2026-4540

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/crypt0co-walet-poc/MAL-2026-4540.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4540

Published

2026-05-21T22:33:52Z

Modified

2026-05-26T06:02:25.931228346Z

Summary

Malicious code in crypt0co-walet-poc (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (b5510d98b1e380f6c130bf9b4428321d711ae88d8a4fcb66368a2f6fb4e7ff58)

On require/import, index.js (lines 6-12) serializes the full process.env to /tmp/poc_impact.json and runs whoami and ip addr via execSync to fingerprint the host. Any consumer that imports this package leaks every environment variable available to the Node process — on CI and developer machines this routinely includes cloud credentials, npm/GitHub tokens, and other secrets — into a predictable, world-readable path in /tmp where any local user or subsequent process can read them. The package name crypt0co-walet-poc uses character substitutions (0 for o, walet for wallet) consistent with impersonation of crypto-wallet packages, and the code self-labels as CRITICAL IMPACT POC P0. Author metadata fields (description, keywords, author) are empty. Even if the publisher's stated intent is bug-bounty research, the installer harm — full environment dump plus recon command execution at import time — is real and unconsented.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "b5510d98b1e380f6c130bf9b4428321d711ae88d8a4fcb66368a2f6fb4e7ff58",
            "id": "IN-MAL-2026-004052",
            "source": "amazon-inspector",
            "modified_time": "2026-05-21T22:33:52Z",
            "versions": [
                "1.0.0"
            ],
            "import_time": "2026-05-26T05:51:50.776375939Z"
        }
    ]
}

References

https://www.npmjs.com/package/crypt0co-walet-poc/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / crypt0co-walet-poc

Package

Name: crypt0co-walet-poc; View open source insights on deps.dev
Purl: pkg:npm/crypt0co-walet-poc

Affected ranges

Affected versions

1.*

1.0.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/crypt0co-walet-poc/MAL-2026-4540.json"

cwes

[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "tlsh": "281157650aa552b83cf100c27f4790622187ae633650e1e9712d97f25fc9988922a4ff",
            "sha256": "fdb1d3127b85d6bf3fde19d20d9c4630ca36dbd6865c5c57e0365fefb2e72ae7",
            "path": "index.js"
        },
        {
            "sha256": "d6a4f7ebf805c21e69378d611c5080ddf5b3d92ac60d9c06c17a6ecd6c95d4d2",
            "tlsh": "4ed0a7281eb2943315c052260d69d552b761df5f04547c0c63cf582c92efab769fa30d",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "filename": "crypt0co-walet-poc-1.0.0.tgz",
            "hashes": {
                "sha1": "83cd2a016c6afac178f0f898d46bb83d0682b358",
                "sha512_sri": "sha512-qo0lFEfOD54THH5e+5Q0++S/QWpnA9tJJ9Y+txCgpBr7z9iSKfiaAr7osd7jjhFotXP2b544sQSt+aczeaZckw=="
            }
        }
    ]
}