OSV Malicious Advisory
scanned 3h ago · by OpenSSF/OSVOpenSSF/OSV advisory MAL-2026-5352 confirms this npm version as malicious. **Note:** *This report is updated by a verification record*
Advisory
MAL-2026-5352
Source
OpenSSF Malicious Packages via OSV
Summary
Malicious code in blockchain-helper-0 (npm)
Details
**Note:** *This report is updated by a verification record*
Crypto/SSH/wallet stealer (self-labeled "CRYPTO STEALER"). postinstall scripts/postinstall.js auto-execs, src/index.js harvests ~/.ssh/id_rsa + wallet keys/seeds + env and exfils to hardcoded Telegram bot 8227918239:AAGEMDrBZluDsBBYPxfSyMuv2l3FY8cZCcs chat 6433587894. Auto-exec + hardcoded attacker Telegram exfil; "blockchain-helper" identity has no reason to read SSH/wallet keys.
---
## Source: amazon-inspector (8b9fac34e13ad38cb702f7aad434d18aa276005fe5fa4cbe48c7eb65af26623d) The package was found to contain malicious code or consuming dependency that contains malicious code
Decision reason
OpenSSF Malicious Packages via OSV confirms blockchain-helper-0@1.0.0 as malicious (MAL-2026-5352): Malicious code in blockchain-helper-0 (npm)
References
Source & flagged code
0 flaggedNo flagged code excerpts are attached to this scan.
Findings
1 High
HighOsv Malicious Advisory