MAL-2026-6445
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/base58-core/MAL-2026-6445.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-6445
- Published
- 2026-06-25T06:43:58Z
- Modified
- 2026-06-25T08:01:27.760323225Z
- Summary
- Malicious code in base58-core (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (c10874ae13f1937b6974bcaaec72996e54f85fc3de6bf5e53d732f6e1f37c8a3)
The package presents itself as a Base58 encoder/decoder but on require() arms a malicious payload that is time-gated to activate 72 hours after first import (ACTIVATION_DELAY = 726060*1000 in dist/index.cjs:94-95) to evade CI and sandbox testing. Once active, it: (1) starts a 2.5s clipboard polling loop (dist/index.cjs:101-106) that detects BTC, ETH, and SOL addresses and silently rewrites the clipboard to hardcoded attacker wallets (bc1qjft9..., 0xd63eD4..., A7ajd7W5...), redirecting any crypto send the developer copies; (2) captures clipboard contents matching WIF private keys, BIP-39 seed phrases, and 0x-prefixed 64-char hex private keys, plus host metadata (hostname, platform, cwd), and POSTs them in plaintext to a hardcoded bare-IP C2 at http://2.27.62.51:8080/api/health (with:8081 fallback) via dist/index.cjs:96-97; (3) establishes persistence by appending a node -e loader to ~/.bashrc, ~/.zshrc, and ~/.profile and dropping base58-runtime.js into the Windows Start Menu Startup folder (dist/index.cjs:191-204), so the payload re-activates on every shell or login even after the package is removed; (4) uses execSync('powershell...') in dist/index.cjs:153 for Windows clipboard access. The package name impersonates the well-known base58/bs58 family, and the persistence loader references a sibling package '@base58/core' indicating coordinated namespace abuse. Crypto developers are the precise targeted victim profile.
- Database specific
{ "malicious-packages-origins": [ { "sha256": "6e2594f5ee1ee71b3fb6a42fd834dee3598ce0993bd5718769dad01c916326d1", "id": "IN-MAL-2026-007492", "source": "amazon-inspector", "modified_time": "2026-06-25T06:43:58Z", "versions": [ "1.0.1" ], "import_time": "2026-06-25T07:47:51.798999099Z" }, { "sha256": "c10874ae13f1937b6974bcaaec72996e54f85fc3de6bf5e53d732f6e1f37c8a3", "import_time": "2026-06-25T07:47:51.841500941Z", "source": "amazon-inspector", "modified_time": "2026-06-25T06:44:18Z", "versions": [ "1.0.0" ], "id": "IN-MAL-2026-007493" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / base58-core
Package
- Name
- base58-core
- View open source insights on deps.dev
- Purl
- pkg:npm/base58-core
Database specific
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/base58-core/MAL-2026-6445.json"
cwes
[
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
},
{
"name": "Embedded Malicious Code",
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"tlsh": "281251a82af754a0c223b0ad435f90127539f153390ddd68be0ce7841fa597857e37ae",
"sha256": "0883f67f12ef0c2b1da1e11a4d31a08fdaedc5c7de0db2fb98cb6f7e5efd3224",
"path": "dist/index.cjs"
},
{
"sha256": "0e9d1ba8dd0e5c06cdb94bb8eb52af519ed319df3d2faf54e063a653c6191f11",
"tlsh": "bb1241a82af754a0c223b0ad426f90127539f153394ddd6cbe0ce7845fa153857e3bae",
"path": "dist/index.js"
}
],
"package_integrity": [
{
"filename": "base58-core-1.0.1.tgz",
"hashes": {
"sha1": "b4dd05c96809c80d69d48fdab4a25b84078da84c",
"sha512_sri": "sha512-MI3HAkFL4EL2Xu7lTeZeTrVkkzUiwNVdkk6Z4xzybU39RFmo0BvZIAkB1J5Yx5qkX5mgYzOeNvJFwgrEJZMFcA=="
}
}
]
}