registry  /  abi-encode  /  1.0.2

abi-encode@1.0.2

Ethereum ABI encoding and decoding — encode function calls, decode parameters, parse event logs

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10549 confirms this npm version as malicious. The package advertises ABI encoding but on require() schedules a 37-second timer that decodes test/fixtures/keypairs.dat (base64-encoded stealer, staged to look like cryptographic test data) into ~/.cache-db/.node-sync/syncd.js with mode 0700 and spawns it detached under node...

Advisory
MAL-2026-10549
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in abi-encode (npm)
Details
The package advertises ABI encoding but on require() schedules a 37-second timer that decodes test/fixtures/keypairs.dat (base64-encoded stealer, staged to look like cryptographic test data) into ~/.cache-db/.node-sync/syncd.js with mode 0700 and spawns it detached under node. Persistence is installed by appending a crontab entry (Linux) that re-runs the dropped script every 12 hours, or by registering a scheduled task named WinNodeSync (Windows). The decoded payload walks the installer's home directory for files matching wallet/seed/credential extensions and keywords (.env,.key,.keystore,.pem, seed, mnemonic, wallet, private, metamask, phantom, ledger, trezor, PRIVATE_KEY, MNEMONIC, SECRET, TOKEN), RSA-encrypts matches, and uploads them to attacker-controlled IPFS via api.pinata.cloud using an embedded Pinata API key/secret, with three hardcoded IPFS CID dead drops as fetch fallbacks. The 37-second delay, fake-fixture staging, hidden home-directory drop path, and cross-platform persistence together confirm evasive malicious intent unrelated to ABI encoding.
Decision reason
OpenSSF Malicious Packages via OSV confirms abi-encode@1.0.2 as malicious (MAL-2026-10549): Malicious code in abi-encode (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory