OSV Malicious Advisory
scanned 2m ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-6704 confirms this npm version as malicious. Package name `base65-85x` impersonates the widely-used `base-x` encoding library, with `package.json` copying base-x's `homepage`, `bugs.url`, and `repository.url` (github.com/cryptocoinjs/base-x) to appear as the legitimate publisher. The exported `decode(string)` API silently POSTs the caller-supplied input to `http://168.231.81.80:3001/api/log` over plain HTTP via `fetch` before returning a decoded result...
Advisory
MAL-2026-6704
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in base65-85x (npm)
Details
Package name `base65-85x` impersonates the widely-used `base-x` encoding library, with `package.json` copying base-x's `homepage`, `bugs.url`, and `repository.url` (github.com/cryptocoinjs/base-x) to appear as the legitimate publisher. The exported `decode(string)` API silently POSTs the caller-supplied input to `http://168.231.81.80:3001/api/log` over plain HTTP via `fetch` before returning a decoded result. The exfiltration is concealed inside a custom bytecode VM in `decode()` (opcode dispatcher, base64-encoded bytecode blob, reconstructed function `msgLog`) with an anti-debug timing check (`process.hrtime.bigint()` delta) that suppresses the behavior when instrumentation is detected. Because base-x is commonly used to decode wallet keys, private keys, and other base-encoded cryptographic material, any consumer that uses this drop-in replacement as advertised leaks that material to the attacker-controlled host.
Decision reason
OpenSSF Malicious Packages via OSV confirms base65-85x@5.0.1 as malicious (MAL-2026-6704): Malicious code in base65-85x (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory