-= Per source details. Do not edit below this line.=-
On npm install, mci-sdk runs the postinstall hook node./src/exec.js, which imports mci from src/core/index.js and invokes it at module top level. The function reads a base64-encoded value stored as MULTI_CHAIN_CONFIG.dev.apiKey in src/core/config.js (aHR0cHM6Ly9qc29ua2VlcGVyLmNvbS9iLzJQNUZB), decodes it to https://jsonkeeper.com/b/2P5FA, fetches the JSON via axios, and pipes response.data.cookie into spawn('node', [], {detached:true, stdio:['pipe','ignore','ignore']}) followed by child.unref(). The fetched payload is therefore executed as Node.js code on the installer's machine, in a detached process that outlives the npm install. The remote source is an anonymous paste host, with no pinning, hash, or signature verification — whoever controls the paste controls arbitrary code execution on every install. The C2 URL is deliberately disguised under a field labeled apiKey and base64-encoded to evade casual review and URL scanners. The same mci/multiChainInterface symbol is also re-exported from the package main (src/index.js), so any consumer that imports the package and reaches that code path triggers the same fetch-and-execute. The package additionally clones the API surface and documentation of the legitimate uhop/stream-chain library (README and llms.txt link to github.com/uhop/stream-chain/wiki/...) to attract developers seeking that package.
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
{
"malicious-packages-origins": [
{
"sha256": "1ae26c09350fdf9fb630e382c71dd730583ba1822122d232cde49a259597264f",
"id": "IN-MAL-2026-006842",
"source": "amazon-inspector",
"import_time": "2026-06-16T23:03:43.342539083Z",
"modified_time": "2026-06-16T22:18:38Z",
"versions": [
"1.2.8"
]
},
{
"sha256": "3d17c89e8b90b6c893c9e3ea7d6ec1314857ff2641675cac39b7feac0a039bcd",
"id": "IN-MAL-2026-006839",
"source": "amazon-inspector",
"import_time": "2026-06-16T23:03:43.064929356Z",
"modified_time": "2026-06-16T22:17:46Z",
"versions": [
"1.2.10"
]
},
{
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
}
]
}
],
"id": "GHSA-7cjh-m5vf-hp3r",
"source": "ghsa-malware",
"import_time": "2026-07-08T09:08:02.572187167Z",
"sha256": "d0c6ac0d077500898b1b81d4fa254cb9242af2a7fdbf1d4eaf53666ecfe018b2",
"modified_time": "2026-07-08T08:28:38Z"
},
{
"sha256": "8123bdc8ef62bd04882cf8a8d1d45279cd4d8e7a44da102db142284634790670",
"id": "IN-MAL-2026-008586",
"source": "amazon-inspector",
"import_time": "2026-07-08T21:27:48.606360844Z",
"modified_time": "2026-07-08T20:32:27Z",
"versions": [
"1.2.9"
]
},
{
"modified_time": "2026-07-08T20:32:20Z",
"id": "IN-MAL-2026-008585",
"source": "amazon-inspector",
"import_time": "2026-07-08T21:27:48.541025608Z",
"sha256": "93a23c2b3d2a0cc4cb1cfa5be6efb56cd7c9dc4385310263a8fddc465d5a7a2e",
"versions": [
"1.2.11"
]
},
{
"sha256": "3336120c8e4094504fe1e21c5749509bd9427abaaa56b8253013cbad8097fd3c",
"id": "IN-MAL-2026-009265",
"source": "amazon-inspector",
"import_time": "2026-07-09T16:20:55.875523823Z",
"modified_time": "2026-07-09T15:52:21Z",
"versions": [
"1.2.12"
]
},
{
"modified_time": "2026-07-09T15:52:38Z",
"id": "IN-MAL-2026-009267",
"source": "amazon-inspector",
"import_time": "2026-07-09T16:20:56.062930228Z",
"sha256": "482fa935401594ce6102ca89d6caf14ce22cb85a547f86f7671d522b1a8cd185",
"versions": [
"1.2.13"
]
}
]
}{
"package_integrity": [
{
"filename": "mci-sdk-1.2.8.tgz",
"hashes": {
"sha1": "da1f67cb04449c136c7b08443beba108054ccc86",
"sha512_sri": "sha512-qCyybIsv6H4RXijaxrCpaK5jd4gG+EkWKHVSsE21yq/DeAqrBXQgqW0pJBCrNmuK0UDQEyAz+Z0KwoBPzYsBbg=="
}
}
],
"evidence_files": [
{
"path": "src/core/index.js",
"tlsh": "df5136d654bb212c4592606cc5af222706618901f684b198ed793122efd3089eb2fefd",
"sha256": "c2c83eee776d1fe2ee88d2f8c6b3378131afdee9c38df5e0a3180cab6d1ef3ad"
},
{
"path": "src/core/config.js",
"tlsh": "0bd0a986ea229e464cb02bb0a03a224697231bbb7c980e05349d408d0bb59520808f98",
"sha256": "17c5efa20aec6fd00d212423c5aa16827a64d318d783c7dab9834f1581c4edde"
},
{
"path": "README.md",
"tlsh": "16f1e9af6b1023670e5715e8d2e9668dc732d04fd71004a8447bc468eb464fda63debe",
"sha256": "29984af97bad0bb65706e36cf58a8ad2070b5de3d569c8ba0a047be63ddb727d"
},
{
"path": "src/exec.js",
"tlsh": "c7f18599b6e7113a431360b8d64fc416ab2a8403a15d88f6b25e52107f82438e5bdefd",
"sha256": "dcdf836e76dd604875d64a6e36509cf87e4ddc962828602f18ba6dec6d6fcb65"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/mci-sdk/MAL-2026-5931.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
}
]