MAL-2026-6326

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/web3-eth-utils/MAL-2026-6326.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6326
Published
2026-06-23T15:55:57Z
Modified
2026-06-23T17:01:27.061809730Z
Summary
Malicious code in web3-eth-utils (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (4a262e70316cd74a87b043cd1985e456639781763d4a3ef69aa09d99a2795154)

Package name, README, repository URL, contributors, and module structure are copied from the legitimate '@ethereumjs/util' / 'ethereumjs-util' package, presenting itself as a drop-in for that widely-used Ethereum utility library. The compiled Node entry dist/index.js contains a side-effect-only require("assertcore") at line 60 (no symbols from the module are used), and assertcore is declared as a runtime dependency (^3.1.7) in package.json. This require is absent from the TypeScript source src/index.ts and from the browser bundle dist.browser/index.js — it was injected into the shipped Node bundle after the build, a deliberate smuggling pattern. Any consumer who installs web3-eth-utils believing it to be the real ethereumjs util package will pull assertcore into their dependency tree and execute its top-level code at every require('web3-eth-utils'), handing arbitrary install/require-time execution to the assertcore maintainer.

Database specific 
{
    "malicious-packages-origins": [
        {
            "sha256": "4a262e70316cd74a87b043cd1985e456639781763d4a3ef69aa09d99a2795154",
            "id": "IN-MAL-2026-007253",
            "source": "amazon-inspector",
            "modified_time": "2026-06-23T15:55:57Z",
            "versions": [
                "6.2.8"
            ],
            "import_time": "2026-06-23T16:54:11.897080612Z"
        }
    ]
}
References
Credits

Affected packages

npm / web3-eth-utils

Package

Name
web3-eth-utils
View open source insights on deps.dev
Purl
pkg:npm/web3-eth-utils

Affected ranges

Affected versions

6.*
6.2.8

Database specific

source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/web3-eth-utils/MAL-2026-6326.json"
cwes 
[
    {
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature.",
        "cweId": "CWE-506"
    }
]
indicators 
{
    "evidence_files": [
        {
            "sha256": "b58ae60ae0836b1569599e7f53790f6a70bb1ecd60e5b1232b5c76361c0afa22",
            "tlsh": "8a51cc1b3658b8f583f860f81b2bd1c3f931593301b29a24866cd7f0dda698a85f4e1d",
            "path": "dist/index.js"
        }
    ],
    "package_integrity": [
        {
            "filename": "web3-eth-utils-6.2.8.tgz",
            "hashes": {
                "sha1": "a2097efb6c2da53078b86201916ce749086cc42e",
                "sha512_sri": "sha512-OtU86BvsL8c0JDFcMa2RdYvmXaiSvEHBlCOtiaifxh4fTq9FV7Z7Lr0bA55hU/WAGJmi+3iYQ8gDtBEOMsK1SA=="
            }
        }
    ]
}