MAL-2026-5440

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/exodus-ethereum-sdk/MAL-2026-5440.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5440

Published

2026-06-09T17:44:04Z

Modified

2026-06-09T18:01:29.764002784Z

Summary

Malicious code in exodus-ethereum-sdk (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (b4e52a42f8980da0a9df361ef772ca31bbdaec85eb3fc7a73dbcfc8b5ca6894a)

Package name impersonates the Exodus cryptocurrency wallet brand and ships no real functionality (src/index.js exports an empty object; package.json self-describes as a 'HackerOne PoC'). The package.json declares a postinstall hook (node src/canary.js) which fires automatically on npm install. src/canary.js performs a DNS lookup and HTTPS GET to a hardcoded 96e03fa6c292469a-172-245-86-254.serveousercontent.com subdomain — Serveo is an anonymous reverse-tunnel service, so the destination is operator-controlled and not tied to any identifiable publisher. Each install reveals the installer's public IP and DNS resolver to whoever currently controls that tunnel. Combined with the brand-impersonating name (installers may pull this expecting a legitimate Exodus SDK), the package functions as an install-time beacon against unsuspecting installers regardless of the author's stated 'research' intent.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005108",
            "import_time": "2026-06-09T17:45:55.018154015Z",
            "sha256": "25c8b4456182ead7b8240cb61979ed48aaea35af26ec1dc2f259d35e7da87673",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T17:44:05Z",
            "versions": [
                "99.0.0-canary.1"
            ]
        },
        {
            "id": "IN-MAL-2026-005107",
            "versions": [
                "99.0.0-canary.1"
            ],
            "sha256": "b4e52a42f8980da0a9df361ef772ca31bbdaec85eb3fc7a73dbcfc8b5ca6894a",
            "source": "amazon-inspector",
            "modified_time": "2026-06-09T17:44:04Z",
            "import_time": "2026-06-09T17:45:54.982173033Z"
        }
    ]
}

References

https://www.npmjs.com/package/exodus-ethereum-sdk/v/99.0.0-canary.1

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / exodus-ethereum-sdk

Package

Name: exodus-ethereum-sdk; View open source insights on deps.dev
Purl: pkg:npm/exodus-ethereum-sdk

Affected ranges

Affected versions

99.*

99.0.0-canary.1

Database specific

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "src/canary.js",
            "sha256": "ef2b6f485b2532da51b9f5f82a44416947f1d965023718a03005da3a51a68b45",
            "tlsh": "4ed022fe91c4080aa3a047ac841a60cab94bc9f8008485d2730c86d220c0aeea2ac238"
        },
        {
            "path": "package.json",
            "sha256": "f0682bf3cf01c653c485e39f4134abc441b6d547a31201815c691dc86115d304",
            "tlsh": "40d09744882002333dc889f70ea2c08a02243c071220bc2ca3632444300cb774fb7210"
        }
    ],
    "package_integrity": [
        {
            "filename": "exodus-ethereum-sdk-99.0.0-canary.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-J9oxnPj08jPZ0izKQkTSBSMFQcAr3GUAdTnG+kSI9TuJZ/X1/tMhpPhs50xeyQ36esqtQHPzznDXTa6g4tgs9w==",
                "sha1": "8dd97a66d13aea53e24d30188bddd69d28dde794"
            }
        }
    ],
    "domains": [
        "96e03fa6c292469a-172-245-86-254.serveousercontent.com"
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/exodus-ethereum-sdk/MAL-2026-5440.json"