MAL-2026-5443

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/exodus-wallet-core/MAL-2026-5443.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5443

Published

2026-06-09T17:44:29Z

Modified

2026-06-09T18:01:36.162492362Z

Summary

Malicious code in exodus-wallet-core (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (53bf93b626689e980ef2e9c4ba33fd95e81d6a04c665f85908c8cf07b8b36e14)

Package name impersonates the Exodus cryptocurrency wallet brand. package.json declares "postinstall": "node src/canary.js", and src/canary.js performs a DNS lookup and HTTPS GET to a hardcoded Serveo reverse-tunnel host (96e03fa6c292469a-172-245-86-254.serveousercontent.com/c) on every npm install. Serveo (serveousercontent.com) is a reverse-SSH tunneling service frequently used to expose non-publisher hosts; this is not Exodus infrastructure. The callout leaks the installer's IP address and timing to the tunnel operator and demonstrates arbitrary install-time code execution on the installer's machine. Although the package self-describes as a HackerOne PoC canary, the technique is a live supply-chain attack pattern operating against any machine that installs it.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-06-09T17:44:29Z",
            "versions": [
                "99.0.0-canary.1"
            ],
            "sha256": "1ba93766fbae4c48460e40e317bf64f68251047d20cf43e4583db8d6be616bc8",
            "id": "IN-MAL-2026-005114",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T17:45:55.277187778Z"
        },
        {
            "modified_time": "2026-06-09T17:44:29Z",
            "versions": [
                "99.0.0-canary.1"
            ],
            "sha256": "53bf93b626689e980ef2e9c4ba33fd95e81d6a04c665f85908c8cf07b8b36e14",
            "id": "IN-MAL-2026-005113",
            "source": "amazon-inspector",
            "import_time": "2026-06-09T17:45:55.242015674Z"
        }
    ]
}

References

https://www.npmjs.com/package/exodus-wallet-core/v/99.0.0-canary.1

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / exodus-wallet-core

Package

Name: exodus-wallet-core; View open source insights on deps.dev
Purl: pkg:npm/exodus-wallet-core

Affected ranges

Affected versions

99.*

99.0.0-canary.1

Database specific

indicators

{
    "domains": [
        "96e03fa6c292469a-172-245-86-254.serveousercontent.com"
    ],
    "evidence_files": [
        {
            "sha256": "ef2b6f485b2532da51b9f5f82a44416947f1d965023718a03005da3a51a68b45",
            "tlsh": "4ed022fe91c4080aa3a047ac841a60cab94bc9f8008485d2730c86d220c0aeea2ac238",
            "path": "src/canary.js"
        },
        {
            "sha256": "5ec01a1a499f3a403d991389af2af512ce196ac16c4c054d73e5db184e8a88f3",
            "tlsh": "c6d09708982042233cc88ae70ea2c0ca01242c031260bc2893a31404310cb770fb3140",
            "path": "package.json"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-yCS1BZyZZYVIzGCYOgZkXrPDtCmpN2pBQgX/h/ukzc01m4nGYVZLMSee37C3HHZoSSfpIEoopIGyFNWQeYWhxw==",
                "sha1": "aafe57861e08a477d866d5eee997e8f98f08b056"
            },
            "filename": "exodus-wallet-core-99.0.0-canary.1.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/exodus-wallet-core/MAL-2026-5443.json"