Malicious npm package published as part of a coordinated DeFi-themed infostealer campaign. ts-bn-proto embeds an infostealer payload directly in index.js with a base64-encoded C2 address (data-stream.space), executed at install time via a postinstall hook. The payload harvests cryptocurrency wallet vaults (MetaMask, Phantom, Solflare, OKX, Coinbase, TrustWallet, Backpack, TronLink), browser cookies and credentials, SSH keys, AWS credentials, developer secrets, and password manager databases, then exfiltrates all data to the attacker-controlled C2.
{
"malicious-packages-origins": null
}"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/ts-bn-proto/MAL-2026-6695.json"
{
"domains": [
"data-stream.space"
]
}
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]