registry  /  base58-utils  /  1.0.5

base58-utils@1.0.5

OSV Malicious Advisory

scanned 2h ago · by OpenSSF/OSV

OpenSSF/OSV advisory MAL-2026-10606 confirms this npm version as malicious. The package's index.js contains multiple Buffer.from(...) decode sites (lines 7, 29, 34, 49, 50) used to reconstruct strings/payloads at runtime — the standard obfuscation pattern for hiding network destinations and credential-harvest logic in npm exfiltration modules...

Advisory
MAL-2026-10606
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in base58-utils (npm)
Details
The package's index.js contains multiple Buffer.from(...) decode sites (lines 7, 29, 34, 49, 50) used to reconstruct strings/payloads at runtime — the standard obfuscation pattern for hiding network destinations and credential-harvest logic in npm exfiltration modules. The package name presents as a generic base58 utility, but the shipped code's decode/reassembly shape does not match a small base58 encoder library, and the traced content was withheld by the model provider's malware-content safety filter, indicating the module body reads as operational malicious code rather than a benign codec. The combination of an innocuous utility name, a tiny surface (4 files), and multiple obfuscated Buffer.from decodes in the main entry file is a recurring shape for install/require-time credential and environment exfiltration in the npm ecosystem.
Decision reason
OpenSSF Malicious Packages via OSV confirms base58-utils@1.0.5 as malicious (MAL-2026-10606): Malicious code in base58-utils (npm)

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

1 High
HighOsv Malicious Advisory