OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-10571 confirms this npm version as malicious. Package `@wrenfield/viem` impersonates the popular `viem` library (homepage viem.sh, repo wevm/viem); README and authors fields credit the real viem maintainers but the package itself is published under an unrelated `@wrenfield` scope. The shipped source under `_cjs/` mirrors viem's real code, but `package.json` rewrites the `abitype` dependency via npm alias: `"abitype": "npm:@wrenfield/abitype@1.2.4"`...
Advisory
MAL-2026-10571
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in @wrenfield/viem (npm)
Details
Package `@wrenfield/viem` impersonates the popular `viem` library (homepage viem.sh, repo wevm/viem); README and authors fields credit the real viem maintainers but the package itself is published under an unrelated `@wrenfield` scope. The shipped source under `_cjs/` mirrors viem's real code, but `package.json` rewrites the `abitype` dependency via npm alias: `"abitype": "npm:@wrenfield/abitype@1.2.4"`. The CommonJS entry `_cjs/index.js` calls `require("abitype")` at module load, so any installer who `require()`s or `import`s `@wrenfield/viem` transitively pulls and executes code from `@wrenfield/abitype@1.2.4` — a separate package under the same attacker-controlled scope, outside this tarball. The combination of brand impersonation of a top npm package plus a silent dependency redirect to an attacker-controlled namespace is the namespace-abuse / dependency-hijack pattern: the lure package looks legitimate on inspection, while the actual payload is delivered through the redirected dependency at first import.
Decision reason
OpenSSF Malicious Packages via OSV confirms @wrenfield/viem@2.53.4 as malicious (MAL-2026-10571): Malicious code in @wrenfield/viem (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory