Crypto/SSH/wallet stealer, blockchain-helper-0/web3-tools-9 campaign sibling (c960/c961). postinstall scripts/postinstall.js auto-execs, src/index.js harvests ~/.ssh/id_rsa+wallet keys/seeds+env, self-labels "CRYPTO STEALER", exfils to IDENTICAL Telegram bot 8227918239 chat 6433587894 (not rotated). Generic-crypto-name + numeric suffix + 1.0.0 pattern.
-= Per source details. Do not edit below this line.=-
The package was found to contain malicious code or consuming dependency that contains malicious code
{
"malicious-packages-origins": [
{
"sha256": "ae3b331ae41142aa7284b8c008e95ae1e650907c9d182043fb3d82f28fc19543",
"id": "IN-MAL-2026-009509",
"import_time": "2026-07-09T22:56:29.489321309Z",
"modified_time": "2026-07-09T22:05:51Z",
"versions": [
"1.0.0"
],
"source": "amazon-inspector"
}
]
}{
"package_integrity": [
{
"filename": "ethereum-kit-1-1.0.0.tgz",
"hashes": {
"sha512_sri": "sha512-ttsmZ3AxQ+qUIelZsCsrDmcXEoHyQ5dORTaQ2F3Ph0M4tAomef+uYD6JAlUhxv4jeAFr6EU4ZsYOGD+eObnr5Q==",
"sha1": "c30a7ced2189ca5a0d5bd6d4857f7759f1ff9ae5"
}
}
]
}
[
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ethereum-kit-1/MAL-2026-5355.json"