OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10611 confirms this npm version as malicious. At npm install time the preinstall script (dist/index.min.js) reads installer-owned secrets — ~/.ssh/id_rsa, ~/.env, ~/.env.local, ~/.wallet.json — and iterates process.env for keys matching PRIVATE_*, MNEMONIC*, and SECRET*. Extracted content is scanned for 64-hex and WIF private keys and posted, along with the installer's hostname and username, to https://api.telegram.org/bot<redacted>/sendMessage using a...
Advisory
MAL-2026-10611
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @web3-helpers/core (npm)
Details
At npm install time the preinstall script (dist/index.min.js) reads installer-owned secrets — ~/.ssh/id_rsa, ~/.env, ~/.env.local, ~/.wallet.json — and iterates process.env for keys matching PRIVATE_*, MNEMONIC*, and SECRET*. Extracted content is scanned for 64-hex and WIF private keys and posted, along with the installer's hostname and username, to https://api.telegram.org/bot<redacted>/sendMessage using a hardcoded bot token. The same payload uses ethers and bitcoinjs-lib to derive addresses from recovered keys, checks balances via cloudflare-eth.com and blockchain.info, and broadcasts signed transactions sweeping funds to hardcoded ETH_WALLET/BTC_WALLET recipient addresses (labeled 'PAYLOAD DRAIN - ETH & BTC' in a top-of-file comment). A binding.gyp file additionally uses GYP command expansion (`<!(node -e "require('./dist/index.min.js')...")`) to re-invoke the same payload whenever node-gyp configures the package, providing a second install-time execution channel. The package name mimics legitimate Web3 helper libraries, package.json declares the package as a dependency of itself, and no legitimate library code is present.
Decision reason
OpenSSF Malicious Packages via OSV confirms @web3-helpers/core@1.0.2 as malicious (MAL-2026-10611): Malicious code in @web3-helpers/core (npm)
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory