MAL-2026-5354

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/defi-tools-39/MAL-2026-5354.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5354

Published

2026-06-09T07:55:43Z

Modified

2026-06-11T01:31:29.817059902Z

Summary

Malicious code in defi-tools-39 (npm)

Details

Crypto/SSH/wallet stealer, blockchain-helper-0 campaign sibling (c960+), byte-identical to swap-sdk-87. postinstall auto-execs, src/index.js harvests ~/.ssh keys + Sol/Eth/BTC/Tron/Sui/Aptos wallets + .env + seeds, self-labels "CRYPTO STEALER", exfils to SAME Telegram bot 8227918239 chat 6433587894 (not rotated).

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (d56fe423f0b7b6fd3188d49ea50e2ebb2e7f6e6c76c5c4682062395b7fe11a94)

On npm install, the postinstall hook requires src/index.js, which enumerates a hardcoded list of crypto wallet files, SSH private keys, and environment/mnemonic files in the user's home and current working directory (including ~/.ssh/id_rsa, ~/.config/solana/id.json, .env, and seed/mnemonic files for Solana, Ethereum, Bitcoin, Tron, Sui, and Aptos). The collected file contents are POSTed to api.telegram.org using a hardcoded bot token (8227918239:AAGE...) and chat ID (6433587894). The payload self-identifies as <b>CRYPTO STEALER</b> in the Telegram message body. Execution is gated by an isTestEnvironment() check at src/index.js:11-26 that suppresses the payload in CI, GitHub Actions, Jenkins, Docker, and sandbox-shaped hostnames/usernames — analysis-evasion to keep the stealer dormant during scanning and active on developer workstations. The package ships no legitimate functionality; the generic name defi-tools-39 with a bland 'Cryptocurrency wallet management toolkit' description targets developers searching for DeFi/wallet tooling — the cohort most likely to have on-disk wallet keypairs.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005347",
            "versions": [
                "4.26.29"
            ],
            "sha256": "d56fe423f0b7b6fd3188d49ea50e2ebb2e7f6e6c76c5c4682062395b7fe11a94",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T01:20:23Z",
            "import_time": "2026-06-11T01:21:50.834756945Z"
        }
    ]
}

References

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com
- SafeDep - FINDER
- - https://safedep.io

Affected packages

npm / defi-tools-39

Package

Name: defi-tools-39; View open source insights on deps.dev
Purl: pkg:npm/defi-tools-39

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.26.29

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "src/index.js",
            "sha256": "ddc5011b6173a57bc7f29b010ed6b71551dee253b5d05d3efc78d076f5351fee",
            "tlsh": "d1a173f50ef6b7108192e3e8524f60015476e1873c06ed64769c87987f8896ca2f2efc"
        },
        {
            "path": "package.json",
            "sha256": "5406d73479ef298086984a3d898fc117972748f6884c74d24b904663e74a75f7",
            "tlsh": "56e02010df10de7318d45f4f0c72925555514d0754407c1c37d7924c476d77b45fa55e"
        }
    ],
    "package_integrity": [
        {
            "filename": "defi-tools-39-4.26.29.tgz",
            "hashes": {
                "sha512_sri": "sha512-IedNIEZTx3L8EYig7sRtvmRQQ4vjoQ9PBjBfwuEK4J9C/yhnFx8quXGSkUpDAybW3geZPXEcX0qhaFh+doXchw==",
                "sha1": "ad929c90cc23f7f1e99e601b649bd443b6968950"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/defi-tools-39/MAL-2026-5354.json"