MAL-2026-5614

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/janus-erc20/MAL-2026-5614.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5614

Published

2026-06-11T07:25:34Z

Modified

2026-06-11T08:01:32.557122078Z

Summary

Malicious code in janus-erc20 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (728f3d5af5a999be016a49283fff2c5cedc0c5df445d2f078f1f9817dde22334)

On npm install, postinstall.js harvests installer secrets and POSTs them to 193.203.169.109:8443/c/janus-erc20 over HTTPS with TLS verification disabled (rejectUnauthorized:false). The script (1) collects hostname, username, and cwd, (2) iterates process.env and filters keys matching /KEY|SECRET|TOKEN|PRIVATE|MNEMONIC|PASSWORD|RPC|ALCHEMY|INFURA|DATABASE|WALLET/i, (3) reads .env files from cwd, parent directories, and the home directory, and (4) reads ~/.npmrc (which contains npm auth tokens) and ~/.config/ipor-fusion/config.json. Errors are silenced with 2>/dev/null||true. The main index.js is empty — the package has no legitimate ERC20 functionality and exists solely to deliver the postinstall harvester. The targeted IPOR Fusion config path plus the generic blockchain-sounding name indicates the package is positioned as a namespace lure against IPOR Fusion / DeFi developers.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005703",
            "import_time": "2026-06-11T07:49:42.824210812Z",
            "sha256": "728f3d5af5a999be016a49283fff2c5cedc0c5df445d2f078f1f9817dde22334",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T07:25:34Z",
            "versions": [
                "1.0.0"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/janus-erc20/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / janus-erc20

Package

Name: janus-erc20; View open source insights on deps.dev
Purl: pkg:npm/janus-erc20

Affected ranges

Affected versions

1.*

1.0.0

Database specific

indicators

{
    "evidence_files": [
        {
            "path": "postinstall.js",
            "sha256": "8e0fa7cb23c4c3c0466ff90be1f4be19b977073b7a48f592d4dba06cf37e4025",
            "tlsh": "c30156f14256d93e7a3707a4a58c3e01fdb38d1026469de26ce89c4b31622900433e39"
        }
    ],
    "package_integrity": [
        {
            "filename": "janus-erc20-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-Mewx6+d6yHDNigzj5sFIKDc9aXMvb+s6JHe6tFLL/GkTbXSm0G6VNAt19jm9C+UP/MWHXflOkMfDlkbTzf3TJQ==",
                "sha1": "45bf8c17f3f141916a3a5212b0312f30aba34b23"
            }
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/janus-erc20/MAL-2026-5614.json"