MAL-2026-5357

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/farming-tools-12/MAL-2026-5357.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5357
Published
2026-06-09T07:55:46Z
Modified
2026-06-11T01:31:29.949542399Z
Summary
Malicious code in farming-tools-12 (npm)
Details

Crypto/SSH/wallet stealer, blockchain-helper-0 campaign sibling (c960+), same aicrypto-xzggg publisher and "Core utilities for blockchain development" description as swap-sdk-87/defi-tools-39. postinstall auto-execs, src/index.js harvests ~/.ssh keys + Sol/Eth/BTC/Tron/Sui/Aptos wallets + .env + seeds, self-labels "CRYPTO STEALER", exfils to SAME Telegram bot 8227918239 chat 6433587894 (not rotated). Inflated version (4.68.54).

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (1a40867051c796d19f9e375a3f07f7cb616aaaa75fb51d557ea7c1ae0fbbd790)

On install (postinstall hook requires src/index.js), the package enumerates installer-side secrets — ~/.ssh/idrsa and ided25519, ~/.config/solana/id.json, Ethereum keystore files, Bitcoin wallet.dat, Tron/Sui/Aptos wallet files,.env, mnemonic.txt, seed.txt — and uploads each found file to api.telegram.org/bot<token>/sendDocument using a hardcoded bot token (8227918239:AAGE...) and chatid (6433587894). Hostname and username are also sent in a message labeled 'CRYPTO STEALER' for victim attribution. Execution is gated by anti-analysis checks (CI=true, GITHUBACTIONS, JENKINSHOME, NODEENV=test, usernames matching runner/sandbox/docker, 12-hex docker container hostnames) and delayed by setTimeout(7434) so it fires only on real developer machines. The author's own message label confirms malicious intent.

Database specific 
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005348",
            "import_time": "2026-06-11T01:21:50.865998287Z",
            "sha256": "1a40867051c796d19f9e375a3f07f7cb616aaaa75fb51d557ea7c1ae0fbbd790",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T01:20:48Z",
            "versions": [
                "4.68.54"
            ]
        }
    ]
}
References
Credits

Affected packages

npm / farming-tools-12

Package

Name
farming-tools-12
View open source insights on deps.dev
Purl
pkg:npm/farming-tools-12

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

4.*
4.68.54

Database specific

cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
indicators 
{
    "evidence_files": [
        {
            "path": "src/index.js",
            "sha256": "b50403be9dd9f94f7af4795c1e346c9d27d5a18041a3044773238c4cdc1f4de4",
            "tlsh": "fea173f50ef6b7108192e3a8524f60015476e1873c06ed65769c87987f8896ca2f2efd"
        }
    ],
    "package_integrity": [
        {
            "filename": "farming-tools-12-4.68.54.tgz",
            "hashes": {
                "sha512_sri": "sha512-YHpMgitus8OzBQTRDB1bVYlQrPK1Rlvj5eFq6KCH31/WXN/LXBJZzm3bVM58+o48n+5xgqnIKHlCRFVBTXm8dw==",
                "sha1": "20b3cffe633654b59cb0ea324803b58de04ab502"
            }
        }
    ]
}
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/farming-tools-12/MAL-2026-5357.json"