MAL-2026-5352

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/blockchain-helper-0/MAL-2026-5352.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5352
Published
2026-06-09T07:53:45Z
Modified
2026-07-09T23:02:06.023380186Z
Summary
Malicious code in blockchain-helper-0 (npm)
Details

Note: This report is updated by a verification record

Crypto/SSH/wallet stealer (self-labeled "CRYPTO STEALER"). postinstall scripts/postinstall.js auto-execs, src/index.js harvests ~/.ssh/id_rsa + wallet keys/seeds + env and exfils to hardcoded Telegram bot 8227918239:AAGEMDrBZluDsBBYPxfSyMuv2l3FY8cZCcs chat 6433587894. Auto-exec + hardcoded attacker Telegram exfil; "blockchain-helper" identity has no reason to read SSH/wallet keys.


-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (8b9fac34e13ad38cb702f7aad434d18aa276005fe5fa4cbe48c7eb65af26623d)

The package was found to contain malicious code or consuming dependency that contains malicious code

Database specific
{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-07-09T22:04:11Z",
            "versions": [
                "1.0.0"
            ],
            "sha256": "8b9fac34e13ad38cb702f7aad434d18aa276005fe5fa4cbe48c7eb65af26623d",
            "id": "IN-MAL-2026-009498",
            "source": "amazon-inspector",
            "import_time": "2026-07-09T22:56:28.455668639Z"
        }
    ]
}
References
Credits

Affected packages

npm / blockchain-helper-0

Package

Name
blockchain-helper-0
View open source insights on deps.dev
Purl
pkg:npm/blockchain-helper-0

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.0.0

Database specific

indicators
{
    "package_integrity": [
        {
            "hashes": {
                "sha1": "79dddca421f87000c8cba950f2c0d8bfc498c154",
                "sha512_sri": "sha512-f1S8S011AAFtPWDcCO2jw7cvg+crT0FZWF78PjaGCOwODvjJ930n0kiQDh58XADte6fFp8YXjskkpTRqTblb2A=="
            },
            "filename": "blockchain-helper-0-1.0.0.tgz"
        }
    ]
}
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/blockchain-helper-0/MAL-2026-5352.json"