MAL-2026-6695

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ts-bn-proto/MAL-2026-6695.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-6695
Published
2026-06-30T00:00:00Z
Modified
2026-06-30T21:01:39.340083157Z
Summary
Malicious code in ts-bn-proto (npm)
Details

Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. ts-bn-proto embeds an infostealer payload directly in index.js with a base64-encoded C2 address (data-stream.space), executed at install time via a postinstall hook. The payload harvests cryptocurrency wallet vaults (MetaMask, Phantom, Solflare, OKX, Coinbase, TrustWallet, Backpack, TronLink), browser cookies and credentials, SSH keys, AWS credentials, developer secrets, and password manager databases, then exfiltrates all data to the attacker-controlled C2.

Database specific
{
    "malicious-packages-origins": null
}
References
Credits

Affected packages

npm / ts-bn-proto

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected

Database specific

source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ts-bn-proto/MAL-2026-6695.json"
iocs
{
    "domains": [
        "data-stream.space"
    ]
}
cwes
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]