MAL-2026-6694

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/thirdwebb/MAL-2026-6694.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6694
Published
2026-06-30T00:00:00Z
Modified
2026-06-30T21:01:39.364337206Z
Summary
Malicious code in thirdwebb (npm)
Details

Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. thirdwebb is a typosquat of the legitimate thirdweb package. It uses a side-loader technique, pulling in log-taker as a transitive dependency; the infostealer runs automatically via that dependency's postinstall hook. The payload harvests cryptocurrency wallet vaults (MetaMask, Phantom, Solflare, OKX, Coinbase, TrustWallet, Backpack, TronLink), browser cookies and credentials, SSH keys, AWS credentials, .npmrc tokens, Docker config, shell history, and password manager databases, exfiltrating all data to the C2 domain log-taker.store.

Database specific
{
    "malicious-packages-origins": null
}
References
Credits

Affected packages

npm / thirdwebb

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Database specific

iocs
{
    "domains": [
        "log-taker.store"
    ]
}
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/thirdwebb/MAL-2026-6694.json"