-= Per source details. Do not edit below this line.=-
Package eth-util impersonates the legitimate @ethereumjs/util package: README, repository URL (github.com/ethereumjs/ethereumjs-monorepo), badges, contributor list, and module API are copied from the ethereumjs project, but the package is published under the unrelated short name eth-util. The compiled dist/index.js at line 55 contains a side-effect-only require("assert-kit") that is absent from src/index.ts and from the parallel dist.browser/index.js bundle — tsc would not emit an unreferenced require of a package not present in the source, so this line was injected post-compile. Anyone reading the GitHub source would not see the loader; only the published npm tarball carries it. The assert-kit dependency is declared at ^4.3.2 in package.json, mimic-named after the Node built-in assert referenced in the README, and the caret range lets the publisher ship arbitrary code into installers via any future minor/patch release. On require("eth-util"), the consumer's process executes whatever top-level code assert-kit ships.
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
{
"malicious-packages-origins": [
{
"sha256": "25c797954fc796493e459a69efde378ef04874f43e7c5570c12e9b8463688807",
"id": "GHSA-fq6v-3gxv-7rjv",
"modified_time": "2026-06-19T08:08:43Z",
"import_time": "2026-06-19T08:13:49.239922046Z",
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "SEMVER"
}
],
"source": "ghsa-malware"
},
{
"sha256": "6fcfa5a90c6e60f1e3a94db0277e5d9bd0058d0d5d3a549e3e62dfb6e05f4223",
"id": "IN-MAL-2026-009372",
"import_time": "2026-07-09T17:19:30.43545505Z",
"modified_time": "2026-07-09T17:02:39Z",
"versions": [
"7.1.5"
],
"source": "amazon-inspector"
}
]
}{
"evidence_files": [
{
"sha256": "a3b22386a61a051a2d0bf4ecc1bed171785fe7f0c3b8d444db2b0bedbedce9d0",
"tlsh": "dd51cc1b3658b8f583f860f81b2bd1c3f931593301b29a64866cd7f0dda698a85f4e1d",
"path": "dist/index.js"
}
]
}
[
{
"name": "Embedded Malicious Code",
"cweId": "CWE-506",
"description": "The product contains code that appears to be malicious in nature."
},
{
"cweId": "CWE-506",
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature."
}
]
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/eth-util/MAL-2026-6201.json"