MAL-2026-4554

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ethers-wallet-packages/MAL-2026-4554.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4554

Published

2026-05-20T02:40:25Z

Modified

2026-05-26T06:02:18.260865172Z

Summary

Malicious code in ethers-wallet-packages (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (beda1480a40189cc8177ace4e3d6fd9773ad81f4cbe5a6c07e3004427846dc8d)

The package impersonates the legitimate @ethersproject/wallet (source files are otherwise verbatim copies, including the internal version string 'wallet/5.8.0'). lib/index.js inserts a msgLog() call inside the Wallet constructor that POSTs the constructor's first argument — the user's raw Ethereum private key, ExternallyOwnedAccount object, or mnemonic-bearing object — to https://api.telegram.org/bot<redacted>/sendMessage with a hardcoded chatid. Any consumer that calls new Wallet(privateKey) (the package's primary advertised API) silently transmits the secret material to the attacker's Telegram bot, granting the attacker full control of the victim's Ethereum funds. Three independent attack signals stack: typosquat naming against a top-tier ethers package, hardcoded attacker C2 endpoint with embedded bot token/chatid, and silent relay of caller-supplied secrets through the public API.

Database specific

{
    "malicious-packages-origins": [
        {
            "sha256": "0a5fb9b700c42ee655b19af84771cbe4f0fba108b91c523aba79c75abb279451",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T02:41:36Z",
            "versions": [
                "5.8.0"
            ],
            "id": "IN-MAL-2026-003431",
            "import_time": "2026-05-26T05:50:37.745015249Z"
        },
        {
            "sha256": "beda1480a40189cc8177ace4e3d6fd9773ad81f4cbe5a6c07e3004427846dc8d",
            "source": "amazon-inspector",
            "modified_time": "2026-05-20T02:40:25Z",
            "versions": [
                "5.8.2"
            ],
            "id": "IN-MAL-2026-003430",
            "import_time": "2026-05-26T05:50:37.639770885Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / ethers-wallet-packages

Package

Name: ethers-wallet-packages; View open source insights on deps.dev
Purl: pkg:npm/ethers-wallet-packages

Affected ranges

Affected versions

5.*

5.8.0

5.8.2

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ethers-wallet-packages/MAL-2026-4554.json"

indicators

{
    "package_integrity": [
        {
            "filename": "ethers-wallet-packages-5.8.0.tgz",
            "hashes": {
                "sha1": "9f96ef310c10cc2840b229390e8b6e41e999bb51",
                "sha512_sri": "sha512-5U8Tt2RTmh6Z5ULvFHdm1mbBgySOuzX9CwhpvofOa21ksmLvyHk8LMUcgiiqpCULNVIMjnRhMvm55giRs2QRTQ=="
            }
        }
    ],
    "evidence_files": [
        {
            "sha256": "0caa9fd13fd9e25d83a2c61ff9cadb2e423c2815c88cb2508958b7097ac5597a",
            "tlsh": "db528445fbe371244257b5b8d51f9849f57ec94b40cccd64ba0cd2926f6082c8bfaab8",
            "path": "lib/index.js"
        },
        {
            "path": "package.json",
            "tlsh": "07315941c93dcee757cc1a94441d68cab13a48174844b85d339a492a4f8f32f2efd94f",
            "sha256": "f24a22b18457c1c05eb6365f9d827480d46d28e10ea912c6dfe2ca313415ebd0"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]