Note: This report is updated by a verification record
Crypto/SSH/wallet stealer (self-labeled "CRYPTO STEALER"). postinstall scripts/postinstall.js auto-execs, src/index.js harvests ~/.ssh/id_rsa + wallet keys/seeds + env and exfils to hardcoded Telegram bot 8227918239:AAGEMDrBZluDsBBYPxfSyMuv2l3FY8cZCcs chat 6433587894. Auto-exec + hardcoded attacker Telegram exfil; "blockchain-helper" identity has no reason to read SSH/wallet keys.
-= Per source details. Do not edit below this line.=-
The package was found to contain malicious code or consuming dependency that contains malicious code
{
"malicious-packages-origins": [
{
"modified_time": "2026-07-09T22:04:11Z",
"versions": [
"1.0.0"
],
"sha256": "8b9fac34e13ad38cb702f7aad434d18aa276005fe5fa4cbe48c7eb65af26623d",
"id": "IN-MAL-2026-009498",
"source": "amazon-inspector",
"import_time": "2026-07-09T22:56:28.455668639Z"
}
]
}{
"package_integrity": [
{
"hashes": {
"sha1": "79dddca421f87000c8cba950f2c0d8bfc498c154",
"sha512_sri": "sha512-f1S8S011AAFtPWDcCO2jw7cvg+crT0FZWF78PjaGCOwODvjJ930n0kiQDh58XADte6fFp8YXjskkpTRqTblb2A=="
},
"filename": "blockchain-helper-0-1.0.0.tgz"
}
]
}
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/blockchain-helper-0/MAL-2026-5352.json"