MAL-2026-5359

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/swap-sdk-87/MAL-2026-5359.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5359
Published
2026-06-09T07:55:40Z
Modified
2026-06-11T01:31:30.298547784Z
Summary
Malicious code in swap-sdk-87 (npm)
Details

Crypto/SSH/wallet stealer, blockchain-helper-0 campaign sibling (c960+). postinstall auto-execs, src/index.js harvests ~/.ssh keys + Sol/Eth/BTC/Tron/Sui/Aptos wallets + .env + seeds, self-labels "CRYPTO STEALER", exfils to SAME Telegram bot 8227918239 chat 6433587894 (not rotated). Inflated version.


-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (ee4f0ee119ae0ba917865c71f333eaeda049ce99024c50ad7d6c3ce41c1f7005)

On npm install, the package's postinstall hook loads src/index.js, which after a 4-second delay and a sandbox/CI-evasion gate enumerates installer-side secrets and uploads them to an attacker-controlled Telegram bot. Targeted paths include ~/.ssh/id_rsa, ~/.ssh/id_ed25519, Solana keypair (~/.config/solana/id.json), Ethereum/Bitcoin/Tron/Sui/Aptos wallet files, .env files, and mnemonic/seed/keystore/secrets files. Stolen contents are POSTed to api.telegram.org/bot<redacted>/sendDocument with chatid 6433587894. The bot token 8227918239:AAGEMDrBZluDsBBYPxfSyMuv2l3FY8cZCcs is hardcoded at src/index.js line 6. The code self-identifies with the literal HTML header CRYPTO STEALER (src/index.js line 107). An evasion routine isTestEnvironment() (src/index.js lines 10–22) suppresses payload execution when CI=true, GITHUBACTIONS=true, JENKINSHOME is set, NODEENV is test/development, the hostname matches sandbox/test/ci or a 12-hex docker pattern, or the username contains runner/sandbox/docker — designed to fire only on real developer machines. The package advertises itself as 'Core utilities for blockchain development' with web3/solana/ethereum keywords and a placeholder author 'John Miller', a lure aimed precisely at the crypto-developer population whose machines hold the targeted secrets. The package ships no actual SDK functionality.

Database specific
{
    "malicious-packages-origins": [
        {
            "versions": [
                "4.63.78"
            ],
            "import_time": "2026-06-11T01:21:50.900382802Z",
            "modified_time": "2026-06-11T01:21:02Z",
            "id": "IN-MAL-2026-005349",
            "sha256": "ee4f0ee119ae0ba917865c71f333eaeda049ce99024c50ad7d6c3ce41c1f7005",
            "source": "amazon-inspector"
        }
    ]
}
References
Credits

Affected packages

npm / swap-sdk-87

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

4.*
4.63.78

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/swap-sdk-87/MAL-2026-5359.json"
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
indicators
{
    "package_integrity": [
        {
            "hashes": {
                "sha1": "9a10fa0507fefd3073cae93beb0d66de8842d880",
                "sha512_sri": "sha512-GgkRFViHT7G57ejPVu2yEFx84aM1SzMRtzPOezmjd/IteoWCqxCUtAb3l0QPUrA0xKDcf5lCXDMPZOSNXlG57A=="
            },
            "filename": "swap-sdk-87-4.63.78.tgz"
        }
    ],
    "evidence_files": [
        {
            "path": "src/index.js",
            "sha256": "9d96f8759e8d593b6dd2338aceb08cdb12e9a5613700953e04e66cc8c2e3087c",
            "tlsh": "92a184f50ef6b7108192e3e8524f60015476e1873c06ed64769c87987f8896ca2f2efc"
        },
        {
            "path": "package.json",
            "sha256": "098e2813542b33866f477766644416072d274f762456b0ce22c566de668c7c09",
            "tlsh": "24e02620df209d732cc8da5a0c72818366614e5751503c1c339f914c475d7bf48be40e"
        }
    ]
}